Edit tour

Windows Analysis Report
ScreenConnect.Client.exe

Overview

General Information

Sample name:	ScreenConnect.Client.exe
Analysis ID:	1430690
MD5:	88a8d150f1a63302ddc2d5114cfa5df2
SHA1:	0bf2abb33b7fda9ea7a96b68f784684b975e6b92
SHA256:	37fcb2df95b2ba1bc601c6140b1d415ba362ea67834bc13d1eaebbb69a1e5f68
Tags:	exe
Infos:

Detection

ScreenConnect Tool

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Enables network access during safeboot for specific services

Machine Learning detection for sample

Reads the Security eventlog

Reads the System eventlog

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

ScreenConnect.Client.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\ScreenConnect.Client.exe" MD5: 88A8D150F1A63302DDC2D5114CFA5DF2)

dfsvc.exe (PID: 1048 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 528 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe" MD5: 5DEC65C4047DE914C78816B8663E3602)

ScreenConnect.ClientService.exe (PID: 5112 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1" MD5: DC615E9D8EC81CBF2E2452516373E5A0)

svchost.exe (PID: 6212 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 5964 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1" MD5: DC615E9D8EC81CBF2E2452516373E5A0)

ScreenConnect.WindowsClient.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe" "RunRole" "00bf8db2-e7be-4b91-a934-0cef64fa5596" "User" MD5: 5DEC65C4047DE914C78816B8663E3602)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000002.00000002.3084038750.000002CD540FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000006.00000002.2446052274.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 1048	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 528	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 5112	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.0.ScreenConnect.WindowsClient.exe.ca0000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.6, DestinationIsIpv6: false, DestinationPort: 49714, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 1048, Protocol: tcp, SourceIp: 147.28.128.254, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6212, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	Virustotal: Detection: 7%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for submitted file

Source: ScreenConnect.Client.exe	ReversingLabs: Detection: 23%
Source: ScreenConnect.Client.exe	Virustotal: Detection: 21%			Perma Link

Machine Learning detection for sample

Source: ScreenConnect.Client.exe

Joe Sandbox ML: detected

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_00091000 LoadLibraryA,GetProcAddress,LocalAlloc,LocalAlloc,GetModuleFileNameW,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,ReadFile,LocalAlloc,SetFilePointer,ReadFile,CertOpenSystemStoreA,LocalFree,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,LocalFree,CryptMsgClose,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,CloseHandle,LocalFree,LocalFree,

0_2_00091000

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior

Uses 32bit PE files

Source: ScreenConnect.Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: ScreenConnect.Client.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 147.28.128.254:443 -> 192.168.2.6:49714 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ScreenConnect.Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: ScreenConnect.Client.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53E9F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2444186300.00000000024F2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3345646904.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3345293271.0000000001250000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2428596297.0000000000BFD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000086E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD540CF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54519000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2447682763.000000001BFB2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000008A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445850817.00000000014F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000086E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb] source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445850817.00000000014F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000086E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: b.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbY/ source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EAC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2444628670.0000000004B22000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000089A000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EAC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2444628670.0000000004B22000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000089A000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr

Spreading

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_00094A8B FindFirstFileExA,

0_2_00094A8B

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe

Registry value created: NULL Service

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: marcile61.screenconnect.comAccept-Encoding: gzip

Source: unknown

DNS traffic detected: queries for: marcile61.screenconnect.com

Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3100207956.000002CD70331000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3093536337.000002CD6E0A7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3083099695.000002CD52210000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: svchost.exe, 00000004.00000002.3348174534.00000104F888D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3100207956.000002CD70331000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3093536337.000002CD6E0A7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3100207956.000002CD70331000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3093536337.000002CD6E0A7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000002.00000002.3094104894.000002CD6E0BE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000002.00000002.3092471158.000002CD6E03A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enI
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ci40ys-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ci40ys-relay.screenconnect.com:443/)
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ci40ys-relay.screenconnect.com:443/?
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ci40ys-relay.screenconnect.com:443/c
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.000000000143E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.0000000001770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.0000000001804000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.0000000001682000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.000000000148D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.00000000016BE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.000000000153E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-ci40ys-relay.screenconnect.com:443/d
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://marcile61.screenconnect.com
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141.2.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3100207956.000002CD70331000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3093536337.000002CD6E0A7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000002.00000002.3091076826.000002CD6C688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000002.00000002.3094104894.000002CD6E0D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: dfsvc.exe, 00000002.00000002.3092471158.000002CD6E022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microso
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD53E3A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.00000000013B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://server-nixeba81050-web.screenconnect.com
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://server-nixeba81050-web.screenconnect.com0
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54074000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54060000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54531000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54064000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54521000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3100207956.000002CD70331000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3093536337.000002CD6E0A7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5451D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Client.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD5426A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5423E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD5426A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5428D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD540FF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD542B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095043839.000002CD6E1CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD5428D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or0
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD53EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD53EB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: ScreenConnect.Core.dll.2.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000004.00000003.2105045094.00000104F8600000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54337000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.scree
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenco
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54079000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.0000000001336000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2447132803.000000001B8AD000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2447152882.000000001B8B6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445705427.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, GWVHVA9M.log.2.dr	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application0898jQ
Source: dfsvc.exe, 00000002.00000002.3092471158.000002CD6E03A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application9
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application96jG
Source: GWVHVA9M.log.2.dr	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=instanc
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.0000000001336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.applicationB
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.applicationX
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.0000000001336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application~
Source: dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5401A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, GWVHVA9M.log.2.dr	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifest2
Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2447338158.000000001B94C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifestE
Source: dfsvc.exe, 00000002.00000002.3092471158.000002CD6E03A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifestk
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientSe
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD5401A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientService.exeH
Source: dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5401A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Core.dllKL
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Wind
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstage
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.ex
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3092471158.000002CD6E022000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000002.00000002.3094104894.000002CD6E0BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configKP
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsC
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000002.00000002.3091076826.000002CD6C5F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config4
Source: dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exeF
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exx
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.e
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3092471158.000002CD6E022000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000002.00000002.3092471158.000002CD6E022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.configj
Source: dfsvc.exe, 00000002.00000002.3083099695.000002CD522D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe~
Source: dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManagp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 147.28.128.254:443 -> 192.168.2.6:49714 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior

System Summary

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe

Code function: 8_2_04A6B510 CreateProcessAsUserW,

8_2_04A6B510

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Code function: 0_2_0009A4D5	0_2_0009A4D5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348CD510	2_2_00007FFD348CD510
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348E2531	2_2_00007FFD348E2531
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348D2590	2_2_00007FFD348D2590
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348C2758	2_2_00007FFD348C2758
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348ED77D	2_2_00007FFD348ED77D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348E3229	2_2_00007FFD348E3229
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348CF188	2_2_00007FFD348CF188
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348CA1BF	2_2_00007FFD348CA1BF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348C327D	2_2_00007FFD348C327D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348E3C9E	2_2_00007FFD348E3C9E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348BAEF5	2_2_00007FFD348BAEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348C97B8	2_2_00007FFD348C97B8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348C2110	2_2_00007FFD348C2110
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348D3101	2_2_00007FFD348D3101
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348B1211	2_2_00007FFD348B1211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348BD1D9	2_2_00007FFD348BD1D9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348BF441	2_2_00007FFD348BF441
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348D3A70	2_2_00007FFD348D3A70
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348DA005	6_2_00007FFD348DA005
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C7294	6_2_00007FFD348C7294
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348CBFB8	6_2_00007FFD348CBFB8
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348CDFA9	6_2_00007FFD348CDFA9
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C112F	6_2_00007FFD348C112F
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C91FA	6_2_00007FFD348C91FA
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C11FA	6_2_00007FFD348C11FA
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C9218	6_2_00007FFD348C9218
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C1175	6_2_00007FFD348C1175
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C1450	6_2_00007FFD348C1450
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C1445	6_2_00007FFD348C1445
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C0C40	6_2_00007FFD348C0C40
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Code function: 8_2_04A64F00	8_2_04A64F00
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Code function: 8_2_04A64F00	8_2_04A64F00
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD348A04F4	9_2_00007FFD348A04F4
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34899EF3	9_2_00007FFD34899EF3
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489FED3	9_2_00007FFD3489FED3
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34896FF2	9_2_00007FFD34896FF2
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD348C7AB0	9_2_00007FFD348C7AB0
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34899CBD	9_2_00007FFD34899CBD
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489D5F8	9_2_00007FFD3489D5F8
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34898DFA	9_2_00007FFD34898DFA
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489D5CF	9_2_00007FFD3489D5CF
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489FF1F	9_2_00007FFD3489FF1F
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489A771	9_2_00007FFD3489A771
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489E9F2	9_2_00007FFD3489E9F2
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489E998	9_2_00007FFD3489E998
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD348919CF	9_2_00007FFD348919CF
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA34CF	9_2_00007FFD34BA34CF
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA21F3	9_2_00007FFD34BA21F3
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA4BFC	9_2_00007FFD34BA4BFC
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA6AC5	9_2_00007FFD34BA6AC5

Uses 32bit PE files

Source: ScreenConnect.Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: classification engine

Classification label: mal60.evad.winEXE@11/72@4/3

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

0_2_00091000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Command line argument: kernel32	0_2_00091000
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Command line argument: dfsh	0_2_00091000
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Command line argument: atio	0_2_00091000
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Command line argument: @1#v	0_2_00091000
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Command line argument: dfshim	0_2_00091000
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Command line argument: dfshim	0_2_00091000

Source: ScreenConnect.Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ScreenConnect.Client.exe	ReversingLabs: Detection: 23%
Source: ScreenConnect.Client.exe	Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

File read: C:\Users\user\Desktop\ScreenConnect.Client.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ScreenConnect.Client.exe "C:\Users\user\Desktop\ScreenConnect.Client.exe"
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe" "RunRole" "00bf8db2-e7be-4b91-a934-0cef64fa5596" "User"
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe" "RunRole" "00bf8db2-e7be-4b91-a934-0cef64fa5596" "User"	Jump to behavior

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Automated click: Run
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Automated click: Run

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: ScreenConnect.Client.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: ScreenConnect.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ScreenConnect.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ScreenConnect.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ScreenConnect.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ScreenConnect.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ScreenConnect.Client.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ScreenConnect.Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: ScreenConnect.Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: ScreenConnect.Client.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53E9F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2444186300.00000000024F2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3345646904.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.3345293271.0000000001250000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.2428596297.0000000000BFD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000086E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD540CF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54519000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2447682763.000000001BFB2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Client.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000008A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445850817.00000000014F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000086E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb] source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445850817.00000000014F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000086E000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: b.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbY/ source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EAC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2444628670.0000000004B22000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000089A000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.3084038750.000002CD541D9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD53EAC000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000007.00000002.2444628670.0000000004B22000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.000000000089A000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr

PE file contains a valid data directory to section mapping

Source: ScreenConnect.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ScreenConnect.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ScreenConnect.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ScreenConnect.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ScreenConnect.Client.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.WindowsClient.exe.2.dr

Static PE information: 0xC4507774 [Tue May 15 11:03:16 2074 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

0_2_00091000

PE file contains an invalid checksum

Source: ScreenConnect.Client.exe

Static PE information: real checksum: 0x177d1 should be: 0x182ca

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Code function: 0_2_00091C00 push ecx; ret	0_2_00091C13
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD3479D2A5 pushad ; iretd	2_2_00007FFD3479D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348B845E push eax; ret	2_2_00007FFD348B846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348C97B8 push esp; iretd	2_2_00007FFD348E56C9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348B00BD pushad ; iretd	2_2_00007FFD348B00C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348B842E pushad ; ret	2_2_00007FFD348B845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348E536D push esp; iretd	2_2_00007FFD348E56C9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348B7D00 push eax; retf	2_2_00007FFD348B7D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFD348D4B86 push ss; ret	2_2_00007FFD348D4B87
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C8615 push es; retf	6_2_00007FFD348C8746
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C8942 push eax; iretd	6_2_00007FFD348C89CB
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 6_2_00007FFD348C89CC push eax; iretd	6_2_00007FFD348C89CB
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Code function: 8_2_011BF290 push eax; iretd	8_2_011BF291
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Code function: 8_2_04A672F0 push eax; mov dword ptr [esp], ecx	8_2_04A672F1
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Code function: 8_2_04A6CDE0 pushfd ; ret	8_2_04A6CDE1
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Code function: 8_2_04A64EE0 push eax; mov dword ptr [esp], ecx	8_2_04A64EE1
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD3489845E push eax; ret	9_2_00007FFD3489846D
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD348A0685 pushad ; iretd	9_2_00007FFD348A0859
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD348A0820 pushad ; iretd	9_2_00007FFD348A0859
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD348983D3 pushad ; ret	9_2_00007FFD3489845D
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA8CCC pushad ; iretd	9_2_00007FFD34BA8CCD
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA8CDC push esp; iretd	9_2_00007FFD34BA8CDD
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD34BA3FC4 push edx; iretd	9_2_00007FFD34BA3FC5

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Modifies existing windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d)

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000006.00000002.2447682763.000000001BFB2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000007.00000002.2444186300.00000000024F2000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3345646904.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3345293271.0000000001250000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 2CD524C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 2CD6BE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Memory allocated: 1AEB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Memory allocated: 45B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Memory allocated: 1ABB0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599663	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599209	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596214	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595880	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595092	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594974	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2143			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 7537			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe TID: 5004	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599663s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599433s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599209s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598858s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597108s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596214s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595880s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595530s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595419s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595311s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595200s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -595092s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -594974s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 2448	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7060	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe TID: 5724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe TID: 5000	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_00094A8B FindFirstFileExA,

0_2_00094A8B

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599663	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599209	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596214	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595880	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595092	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594974	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: dfsvc.exe, 00000002.00000002.3094560702.000002CD6E14C000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3091076826.000002CD6C650000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3348050615.00000104F885C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\System\v4.0_4J dn.
Source: dfsvc.exe, 00000002.00000002.3093536337.000002CD6E0A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i_
Source: svchost.exe, 00000004.00000002.3344952016.00000104F322A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_00091950 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00091950

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

0_2_00091000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_000936B7 mov eax, dword ptr fs:[00000030h]

0_2_000936B7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_000968D6 GetProcessHeap,

0_2_000968D6

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Code function: 0_2_000914C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000914C4
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Code function: 0_2_00091950 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00091950
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Code function: 0_2_000945B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000945B3
Source: C:\Users\user\Desktop\ScreenConnect.Client.exe	Code function: 0_2_00091AE3 SetUnhandledExceptionFilter,	0_2_00091AE3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\boza6rry.o1r\27gobdjk.3zx\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=bgiaaackaabsu0exaagaaaeaaqd9w8zonnwpjoc76yt2islormue81mbmnawjfns3fzdut%2fuprvind%2f8vwd0bql3l0ktojz0oefrb9jghp3c35crcpsbwpza6nz%2fkasah0ilfsam8ewt2eerplbvdxwcdaikbz83l%2buwftmiypnucjuk3ilz9sl%2ffgzrwrlzkvsfrj3gkzbvz1gmsafa1764zjii6ozysfgjzvnbaxrg21rneq4q4rymuehkoyz0qulnnogaclmpqwusvu3cbwsmoweqc%2fg4l1bxm563kpsc1gta3rjaumyvvkbxzg9hu7hky%2bllfed5jp%2fhagzjv6mqzqpoprnizwxj41kczydvd%2bu0&r=&i=untitled%20session" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\boza6rry.o1r\27gobdjk.3zx\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=bgiaaackaabsu0exaagaaaeaaqd9w8zonnwpjoc76yt2islormue81mbmnawjfns3fzdut%2fuprvind%2f8vwd0bql3l0ktojz0oefrb9jghp3c35crcpsbwpza6nz%2fkasah0ilfsam8ewt2eerplbvdxwcdaikbz83l%2buwftmiypnucjuk3ilz9sl%2ffgzrwrlzkvsfrj3gkzbvz1gmsafa1764zjii6ozysfgjzvnbaxrg21rneq4q4rymuehkoyz0qulnnogaclmpqwusvu3cbwsmoweqc%2fg4l1bxm563kpsc1gta3rjaumyvvkbxzg9hu7hky%2bllfed5jp%2fhagzjv6mqzqpoprnizwxj41kczydvd%2bu0&r=&i=untitled%20session" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\boza6rry.o1r\27gobdjk.3zx\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=bgiaaackaabsu0exaagaaaeaaqd9w8zonnwpjoc76yt2islormue81mbmnawjfns3fzdut%2fuprvind%2f8vwd0bql3l0ktojz0oefrb9jghp3c35crcpsbwpza6nz%2fkasah0ilfsam8ewt2eerplbvdxwcdaikbz83l%2buwftmiypnucjuk3ilz9sl%2ffgzrwrlzkvsfrj3gkzbvz1gmsafa1764zjii6ozysfgjzvnbaxrg21rneq4q4rymuehkoyz0qulnnogaclmpqwusvu3cbwsmoweqc%2fg4l1bxm563kpsc1gta3rjaumyvvkbxzg9hu7hky%2bllfed5jp%2fhagzjv6mqzqpoprnizwxj41kczydvd%2bu0&r=&i=untitled%20session" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_00091C14 cpuid

0_2_00091C14

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe

Code function: 8_2_04A6C600 CreateNamedPipeW,

8_2_04A6C600

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Code function: 0_2_00091837 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00091837

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\ScreenConnect.Client.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 6.0.ScreenConnect.WindowsClient.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3084038750.000002CD540FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2446052274.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 1048, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 5112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Install Root Certificate	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Windows Service	1 Access Token Manipulation	1 Timestomp	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	2 Windows Service	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	13 Process Injection	1 DLL Search Order Hijacking	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	41 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	13 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Bootkit	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ScreenConnect.Client.exe	24%	ReversingLabs	Win32.PUA.Connectwise
ScreenConnect.Client.exe	21%	Virustotal		Browse
ScreenConnect.Client.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe	7%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.exe	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe	7%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.w3.o	0%	URL Reputation	safe
http://www.w3.or	0%	URL Reputation	safe
http://server-nixeba81050-web.screenconnect.com0	0%	Avira URL Cloud	safe
http://www.xrml.org/schema/2001/11/xrml2coreS	0%	Avira URL Cloud	safe
https://marcile61.screenco	0%	Avira URL Cloud	safe
https://marcile61.scree	0%	Avira URL Cloud	safe
http://schemas.microso	0%	Avira URL Cloud	safe
http://www.xrml.org/schema/2001/11/xrml2core	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://www.w3.or0	0%	Avira URL Cloud	safe
http://www.xrml.org/schema/2001/11/xrml2core	0%	Virustotal		Browse
http://www.xrml.org/schema/2001/11/xrml2coreS	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server-nixeba81050-relay.screenconnect.com	147.28.128.252	true	false		high
server-nixeba81050-web.screenconnect.com	147.28.128.254	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
marcile61.screenconnect.com	unknown	unknown	false		high
instance-ci40ys-relay.screenconnect.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifest	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.dll	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Windows.dll	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Core.dll	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientService.dll	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientService.exe	false	high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://marcile61.screenconnect.com/Bin/ScreenConnect.Wind	dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe~	dfsvc.exe, 00000002.00000002.3083099695.000002CD522D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://instance-ci40ys-relay.screenconnect.com:443/	ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientSe	dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configKP	dfsvc.exe, 00000002.00000002.3094104894.000002CD6E0BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config4	dfsvc.exe, 00000002.00000002.3091076826.000002CD6C5F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifestk	dfsvc.exe, 00000002.00000002.3092471158.000002CD6E03A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com	dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54079000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://instance-ci40ys-relay.screenconnect.com:443/)	ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.scree	dfsvc.exe, 00000002.00000002.3084038750.000002CD54337000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstage	dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.microso	dfsvc.exe, 00000002.00000002.3092471158.000002CD6E022000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application96jG	ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application~	ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.0000000001336000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient	ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, GWVHVA9M.log.2.dr	false		high
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000002.00000002.3084038750.000002CD53EB0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://marcile61.screenco	dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.ex	dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.configj	dfsvc.exe, 00000002.00000002.3092471158.000002CD6E022000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifestE	ScreenConnect.WindowsClient.exe, 00000006.00000002.2447338158.000000001B94C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManagp	dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.o	dfsvc.exe, 00000002.00000002.3084038750.000002CD5426A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5423E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://instance-ci40ys-relay.screenconnect.com:443/?	ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://server-nixeba81050-web.screenconnect.com0	dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application	ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.0000000001336000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2447132803.000000001B8AD000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2447152882.000000001B8B6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2445705427.0000000001363000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000002.00000002.3084038750.000002CD53E3A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.00000000013B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application0898jQ	ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.00000000012A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exx	dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp	false		high
http://marcile61.screenconnect.com	dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000006.00000002.2446052274.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000002.00000002.3084038750.000002CD53EB0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=instanc	GWVHVA9M.log.2.dr	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsC	dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.or	dfsvc.exe, 00000002.00000002.3084038750.000002CD5426A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD5428D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD540FF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD542B9000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3095043839.000002CD6E1CF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000004.00000003.2105045094.00000104F8600000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.3348174534.00000104F888D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://instance-ci40ys-relay.screenconnect.com:443/d	ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.000000000143E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.0000000001770000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.0000000001804000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.0000000001682000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.000000000148D000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.00000000016BE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3347883381.000000000153E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://instance-ci40ys-relay.screenconnect.com:443/c	ScreenConnect.ClientService.exe, 00000008.00000002.3343087930.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.manifest2	dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.e	dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.WindowsClient.exeF	dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	edb.log.4.dr	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.application9	dfsvc.exe, 00000002.00000002.3092471158.000002CD6E03A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3.or0	dfsvc.exe, 00000002.00000002.3084038750.000002CD5428D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://server-nixeba81050-web.screenconnect.com	dfsvc.exe, 00000002.00000002.3084038750.000002CD54535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54591000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD54466000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545EB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.3084038750.000002CD545A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Core.dllKL	dfsvc.exe, 00000002.00000002.3095349059.000002CD70290000.00000004.00000020.00020000.00000000.sdmp	false		high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.2.dr	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.Client.applicationB	ScreenConnect.WindowsClient.exe, 00000006.00000002.2445196544.0000000001336000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marcile61.screenconnect.com/Bin/ScreenConnect.ClientService.exeH	dfsvc.exe, 00000002.00000002.3099266828.000002CD702D9000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.28.128.252	server-nixeba81050-relay.screenconnect.com	United States		3130	RGNET-SEARGnetSeattleWestinEE	false
147.28.128.254	server-nixeba81050-web.screenconnect.com	United States		3130	RGNET-SEARGnetSeattleWestinEE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430690
Start date and time:	2024-04-24 02:54:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ScreenConnect.Client.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@11/72@4/3
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 70% Number of executed functions: 203 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 192.229.211.108, 23.212.59.50, 23.212.59.9, 104.122.28.179, 72.21.81.240
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 5112 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:54:48	API Interceptor	1188179x Sleep call for process: dfsvc.exe modified
02:54:48	API Interceptor	1x Sleep call for process: ScreenConnect.Client.exe modified
02:54:49	API Interceptor	2x Sleep call for process: svchost.exe modified
02:55:43	API Interceptor	1x Sleep call for process: ScreenConnect.ClientService.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	192.229.211.108
	https://www.longin-eki.co.jp.cduhzkc.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.longin-eki.co.jp.nebxshr.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.admin-longin.co.jp.mc3lva.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.longin.co.jp.wiibhaq.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://emv1.3rujia.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://www.longin-eki.co.jp.zurxyjp.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.3rujia.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://xxnewmac5xx.z13.web.core.windows.net/	Get hash	malicious	Unknown	Browse	192.229.211.108

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RGNET-SEARGnetSeattleWestinEE	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	147.28.146.89
	https://invauthsso.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=LwhjpzcSBcSVNAZQLOJlLIeqaIvJlCTmchMvVUFudjuagQwPLN&c=val&c=gzdth&c=390948202&c=37889862&c=3076348&c=626804&c=29194&c=	Get hash	malicious	ScreenConnect Tool	Browse	147.28.129.132
	https://us-east-2.protection.sophos.com?d=screenconnect.com&u=aHR0cHM6Ly9pbnZhdXRoc3NvLnNjcmVlbmNvbm5lY3QuY29tL0Jpbi9TY3JlZW5Db25uZWN0LkNsaWVudFNldHVwLmV4ZT9lPUFjY2VzcyZ5PUd1ZXN0JnQ9cnpqdmxwZ2JHeGFwZXhrSE1YeVpaUnRIbnBGSENDUGRibGZkU05weGpLUG9YdmVhT2omYz12YWwmYz1rckJ2cSZjPTI2NTA3MzY4NSZjPTY2NTE5MDY4JmM9ODIzNjE4MSZjPTIwODg2MCZjPTU0NTczJmM9&i=NWRhOWM5ZTM4ZWZlOTExNjdmZjU4YWFi&t=eXhhUTZYSEJKc0diTjdGR2JjNG4vOHNKbmhvbVdYTG9DVVJ5R0hmZXRvZz0=&h=26351d73de554e6e824184a04530ab82&s=AVNPUEhUT0NFTkNSWVBUSVZoWs2suqsb6VQLf5-mxgvzvRlwgv86PWTETDhsZDMp-_p9OBuNv5LfXkhlC2DvgXLGOMephggYjfKm54n5UCkmoJBDVw_uPG5cQMN8hcye2NoHsLYS_tuUoX350j9eYWo	Get hash	malicious	ScreenConnect Tool	Browse	147.28.129.134
	http://bckonline.com/2018/12/21/orlando-brown-tells-dr-phil-that-he-has-four-kids-and-the-2-year-old-is-still-in-the-belly-video/	Get hash	malicious	Unknown	Browse	147.28.129.37
	https://fixauthconnectapp.pages.dev/connection-module/	Get hash	malicious	Unknown	Browse	147.28.146.89
	https://marine-oceans.com	Get hash	malicious	Unknown	Browse	147.28.129.37
	https://fortyunder40africa.com/well.php	Get hash	malicious	Unknown	Browse	147.28.147.230
	https://earnandexcel.com/blog/how-to-expand-columns-in-excel-multiple-tricks-to-resize-columns-rows/	Get hash	malicious	Unknown	Browse	147.28.129.37
	https://letg.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2Fpassword	Get hash	malicious	HTMLPhisher	Browse	147.28.146.89
	https://www.msn.com/en-us/news/us/4-8-magnitude-earthquake-rocks-northeast-live-updates/ar-BB1l86QX?ocid=winp2fptaskbar&cvid=8188dbd6d83d4c53de2c79e22605f3bd&ei=8	Get hash	malicious	Unknown	Browse	147.28.129.37
RGNET-SEARGnetSeattleWestinEE	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	147.28.146.89
	https://invauthsso.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=LwhjpzcSBcSVNAZQLOJlLIeqaIvJlCTmchMvVUFudjuagQwPLN&c=val&c=gzdth&c=390948202&c=37889862&c=3076348&c=626804&c=29194&c=	Get hash	malicious	ScreenConnect Tool	Browse	147.28.129.132
	https://us-east-2.protection.sophos.com?d=screenconnect.com&u=aHR0cHM6Ly9pbnZhdXRoc3NvLnNjcmVlbmNvbm5lY3QuY29tL0Jpbi9TY3JlZW5Db25uZWN0LkNsaWVudFNldHVwLmV4ZT9lPUFjY2VzcyZ5PUd1ZXN0JnQ9cnpqdmxwZ2JHeGFwZXhrSE1YeVpaUnRIbnBGSENDUGRibGZkU05weGpLUG9YdmVhT2omYz12YWwmYz1rckJ2cSZjPTI2NTA3MzY4NSZjPTY2NTE5MDY4JmM9ODIzNjE4MSZjPTIwODg2MCZjPTU0NTczJmM9&i=NWRhOWM5ZTM4ZWZlOTExNjdmZjU4YWFi&t=eXhhUTZYSEJKc0diTjdGR2JjNG4vOHNKbmhvbVdYTG9DVVJ5R0hmZXRvZz0=&h=26351d73de554e6e824184a04530ab82&s=AVNPUEhUT0NFTkNSWVBUSVZoWs2suqsb6VQLf5-mxgvzvRlwgv86PWTETDhsZDMp-_p9OBuNv5LfXkhlC2DvgXLGOMephggYjfKm54n5UCkmoJBDVw_uPG5cQMN8hcye2NoHsLYS_tuUoX350j9eYWo	Get hash	malicious	ScreenConnect Tool	Browse	147.28.129.134
	http://bckonline.com/2018/12/21/orlando-brown-tells-dr-phil-that-he-has-four-kids-and-the-2-year-old-is-still-in-the-belly-video/	Get hash	malicious	Unknown	Browse	147.28.129.37
	https://fixauthconnectapp.pages.dev/connection-module/	Get hash	malicious	Unknown	Browse	147.28.146.89
	https://marine-oceans.com	Get hash	malicious	Unknown	Browse	147.28.129.37
	https://fortyunder40africa.com/well.php	Get hash	malicious	Unknown	Browse	147.28.147.230
	https://earnandexcel.com/blog/how-to-expand-columns-in-excel-multiple-tricks-to-resize-columns-rows/	Get hash	malicious	Unknown	Browse	147.28.129.37
	https://letg.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2Fpassword	Get hash	malicious	HTMLPhisher	Browse	147.28.146.89
	https://www.msn.com/en-us/news/us/4-8-magnitude-earthquake-rocks-northeast-live-updates/ar-BB1l86QX?ocid=winp2fptaskbar&cvid=8188dbd6d83d4c53de2c79e22605f3bd&ei=8	Get hash	malicious	Unknown	Browse	147.28.129.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	X1.exe	Get hash	malicious	XWorm	Browse	147.28.128.254
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	147.28.128.254
	X2.exe	Get hash	malicious	XWorm	Browse	147.28.128.254
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	147.28.128.254
	https://www.admin-longin.co.jp.mc3lva.cn/	Get hash	malicious	Unknown	Browse	147.28.128.254
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	147.28.128.254
	KxgGGaiW3E.exe	Get hash	malicious	Quasar	Browse	147.28.128.254
	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	147.28.128.254
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	147.28.128.254
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	147.28.128.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe	SSA-taxID-040071.exe	Get hash	malicious	ScreenConnect Tool	Browse
	setup.msi	Get hash	malicious	ScreenConnect Tool	Browse
	https://invauthsso.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=LwhjpzcSBcSVNAZQLOJlLIeqaIvJlCTmchMvVUFudjuagQwPLN&c=val&c=gzdth&c=390948202&c=37889862&c=3076348&c=626804&c=29194&c=	Get hash	malicious	ScreenConnect Tool	Browse
	ScreenConnect.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	ScreenConnect.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Facture_160087511.html	Get hash	malicious	ScreenConnect Tool	Browse
	SSA-taxID-351788.exe	Get hash	malicious	ScreenConnect Tool	Browse
	https://zoneimport.g3639.gleeze.com:8443/Bin/support.Client.exe?h=zoneimport.g3639.gleeze.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQC9E418YcI0GPCt6nL8JLXCrMVf52TCL6876nxAnRhTrORKZpQBP%2FOOMq8NyfwADFO5Cd84vRpMcQXSF3WH9nDCENT7s9bnfsiMfr4yv2tN2F2pLViDwga%2FKmuJQ4nHCHKP3ZiHxALI%2FiYFsUB3U7Kh29d9UfQXfO7h7RT3qvsSgosh64UPscMDajPw31sWFKkqxCX6dxsugjZn2HG3HyKdxKwdMqtEMkric02HfEdRRYE4tgBiOoxJ6Qqe%2F3Y6QGqI3ll8CZCAoPErr6Nyf%2F0mXkzkoUzaEZZ2ybUwNOgyikyAdK5HCgvcTJX%2BO4XTPvCcRTaQ8kadfT5nmEpZD7OS&s=8ca74fb1-50aa-4e0c-8369-bef89caa9168&i=Untitled%20Session&e=Support&y=Guest&r=	Get hash	malicious	ScreenConnect Tool	Browse
	mscenter.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
	mscenter.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe	SSA-taxID-040071.exe	Get hash	malicious	ScreenConnect Tool	Browse
	setup.msi	Get hash	malicious	ScreenConnect Tool	Browse
	https://invauthsso.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest&t=LwhjpzcSBcSVNAZQLOJlLIeqaIvJlCTmchMvVUFudjuagQwPLN&c=val&c=gzdth&c=390948202&c=37889862&c=3076348&c=626804&c=29194&c=	Get hash	malicious	ScreenConnect Tool	Browse
	ScreenConnect.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	ScreenConnect.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Facture_160087511.html	Get hash	malicious	ScreenConnect Tool	Browse
	https://zoneimport.g3639.gleeze.com:8443/Bin/ScreenConnect.WindowsBackstageShell.exe	Get hash	malicious	Unknown	Browse
	SSA-taxID-351788.exe	Get hash	malicious	ScreenConnect Tool	Browse
	https://zoneimport.g3639.gleeze.com:8443/Bin/support.Client.exe?h=zoneimport.g3639.gleeze.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQC9E418YcI0GPCt6nL8JLXCrMVf52TCL6876nxAnRhTrORKZpQBP%2FOOMq8NyfwADFO5Cd84vRpMcQXSF3WH9nDCENT7s9bnfsiMfr4yv2tN2F2pLViDwga%2FKmuJQ4nHCHKP3ZiHxALI%2FiYFsUB3U7Kh29d9UfQXfO7h7RT3qvsSgosh64UPscMDajPw31sWFKkqxCX6dxsugjZn2HG3HyKdxKwdMqtEMkric02HfEdRRYE4tgBiOoxJ6Qqe%2F3Y6QGqI3ll8CZCAoPErr6Nyf%2F0mXkzkoUzaEZZ2ybUwNOgyikyAdK5HCgvcTJX%2BO4XTPvCcRTaQ8kadfT5nmEpZD7OS&s=8ca74fb1-50aa-4e0c-8369-bef89caa9168&i=Untitled%20Session&e=Support&y=Guest&r=	Get hash	malicious	ScreenConnect Tool	Browse
	mscenter.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7262811378151556
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0n:9JZj5MiKNnNhoxuu
MD5:	563449F7A965B78C996B14C6A6121E0C
SHA1:	E2C7AA27E782A4553E629709F07AEFA65A01993B
SHA-256:	BAC3F3EDD3ED0310F76EEACA95193E6AABF417039C983F5174A381CD6C81E344
SHA-512:	84B7FB050F641776E20F596F2319843036422B86B4E2D7F6AFB761B42CF9045EDE2A04969D3E76519FFBE2D3F1B61187EDD8010EC35BEE170011819C118EDFED
Malicious:	false
Reputation:	low
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x22355ce4, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555157026899484
Encrypted:	false
SSDEEP:	1536:VSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:VazaSvGJzYj2UlmOlOL
MD5:	D0EE881B65A2B6ADD4B8D84C09464747
SHA1:	63B99A730D97B960C97541F7C4FEADA0FA60A3D7
SHA-256:	5DDB49BA7A526FAD9A68C749A7769564F734EE551955AA4C0A0AF4307F7B56B7
SHA-512:	1A52B0E561C4BA46D2246DEAD2E40F641B4C5C6A586501AFC20670F43D99B879AA071CA9D22BCC982CCEE141D69333D1A22A30A324B7E4C4A417B7E97EDC4992
Malicious:	false
Reputation:	low
Preview:	"5\.... .......7.......X\...;...{......................0.e......!...{?.16...\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{...................................3..16...\|.....................16...\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0784912922487637
Encrypted:	false
SSDEEP:	3:pUmXEYejTh47fNaAPaU1ll41alluxmO+l/SNxOf:p/XEzjGDNDPaUN4QgmOH
MD5:	A2BA5A1F126D8C53800149B7102E1EF4
SHA1:	369B17E4AC03C4238B5E7F0224E73BA096DF4B13
SHA-256:	59944D9032FFA9E5F477FF584A61BAEDF4F14EE61A4D5CB85639E62E1065193D
SHA-512:	0354816B74D8315B3646799EF12852928B54313D09F1008ADC9CCEED2EA29326C176F2B36A023F2C00E706307EB14FF56100B409B0F4B1C0731CACA418B477C9
Malicious:	false
Reputation:	low
Preview:	..t......................................;...{..16...\|...!...{?..........!...{?..!...{?..g...!...{?.....................16...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.54382969053477
Encrypted:	false
SSDEEP:	12:5onfZTlc5RlRtBfQdltsJYVCpsZty3+H44fmLm7Knyhk7Yk9NpflzW+st/Ug5ddJ:5iplcdZClt5AKtDe3ny8NpflctcgzdPR
MD5:	354ADA998608DC0686312A4929BD64A8
SHA1:	163464DF45F46CB8FA311450D9BC4DE93546CF5D
SHA-256:	CD2746B8B2017A70DE07E148E21CA963143482A8EAE4716E501148DF014FAC50
SHA-512:	9CE6A1FB760BDBD346D31EE9968643846B8443CFC9AC473D561A023CC72BEBD637EE6076D0AADF201CF0177346AB822CA9D8419C575EA353BAAED3E3D417B3E1
Malicious:	false
Reputation:	low
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20240422184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240422184215Z....20240429184215Z0....H...............2.6..Wp.....bq".@.8...W.{Bs. ..-..Kc.....e.nPKw...m...A;$.dgH..O^.?..`h..$.a.U.^...XB...}8>.....]...k.X.n.4...d8.)Q..}Y..G..^[.....`.0...C5^..b#.......C..l..[.s.w..Y.'.@x.\|.0^O..f\|..t. KK.L..3.....T.gQov$).m'....H.wy..=>\|..F.2.w...-..)...rO.Sq.......?.(Tk.&.....:..>B..y........Y.H.....a..?.6.X?..W.7}Z.q-9\|$.........vP.GM............ab..u.. .O....mK .\...b..s.G.&......$V....Gt.U....&sY..W..7..g..\|.e..~hi.p...(8..iJb>........ ..z..B.......D).a.S..'U.v5U....p........y...)N.6..h...w..\|=

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4469395040715534
Encrypted:	false
SSDEEP:	6:kKvI8uM/3JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:4EUkPlE99SCQl2DUevat
MD5:	A881BE450887D5A10DAD5ECF348FAC2F
SHA1:	D809652E124909F95BAEFC4AECA4292E2A3BB5D5
SHA-256:	F1CDDA9E43CF66DE61C918C7CA8973CAD211A5B3A270F8BB3FE321F860CE6B88
SHA-512:	43025AE5B11D45DEBD3006CB1DCFEE9DB7C0750AB8BD09DA4669B976C6339E203841956CBD640A1547FE53C189E3216CA2968BFD6EA9E82347B634B142B6562D
Malicious:	false
Preview:	p...... .........a..&...(...............................................K."h... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1173298608774545
Encrypted:	false
SSDEEP:	6:kKmlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:ulMkPlE99SNxAhUeVLVt
MD5:	8D5A0B6E24EC4E440E9FC5277F9CC82F
SHA1:	FB157BF9C1C2CFAE420272330E87A75B42BEBE3C
SHA-256:	6B14BAB8513E27698CF1FC8A2A329EE182891E83F65CEB39D6FAF69667D6359B
SHA-512:	7491F95A38F02CEAFC271FB3AD1C80E048AAF12D0E9EBEC335BEEE2899FDF090C44BE893692E0FAC1D1EDD5C72F1EE44B69E45A524288F60E1F2D9D33C1B4220
Malicious:	false
Preview:	p...... .........ue.(...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.022061937492303
Encrypted:	false
SSDEEP:	12:z8KsXD8YmxMiv8sFBSfamB3rbFURMOlAkr:4KsXD8Ymxxv7Sf13rbQJr
MD5:	AFA79A58DC8730A599CC85A26FA20527
SHA1:	6357EE214293025BF11571271063927A9E05AC6D
SHA-256:	344E8266F9599A9AC340FF42CD9B5B36F2BA3A9D95053E19AE7C6083327E822B
SHA-512:	B0C40FD5ACC6873CE7AEC450451AB82EEE8F9F086920060B3759AC12ADD756B24A880E4762770B37E7781654AC4AFAFEC507ABB3C73B6539F6C482182874DE27
Malicious:	false
Preview:	p...... ....(...w?../...(................].......{.d.....................{.d... ........l.Z... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.026428538920032
Encrypted:	false
SSDEEP:	6:kK8LDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:ULYS4tWOxSW0PAMsZp
MD5:	090B3C131F5CC6109A2BCB154B23C58F
SHA1:	20E59A9BE0526456B6E4CED2E09531CA3B509456
SHA-256:	37DDB318A6EB55F23D3C8707092442728F724030878784FFB2578F0F79791D94
SHA-512:	D7F67B9C964E0917CC1F056FE3A84F56CC093E2268064964785DF69896D07220F56FA95D1EEC23852F97C383FED23E6F9E0AAE5DCC7170F61556D0B8889975FC
Malicious:	false
Preview:	p...... ....l......:....(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.643308879236062
Encrypted:	false
SSDEEP:	384:j3UqfoK86qvAX9hCjX9R/QPIBM7YTI7WK7jqmpKYMya:jtG6WAX94X9R/QPI+0UWK77p5a
MD5:	DFEDDC1AD6FB459B2BAC7AD77A74916B
SHA1:	370F52634C972B45137F7A529A8EE3C8F353A603
SHA-256:	D883FADA35DC662E124C167750E2227B2EB910F552A6591F6473ADC8E47FB9B9
SHA-512:	2C3363B70345DB4608FE62BA89E16BC75EC1D96BBF3FCC3074B41675F6132A866C3CECFF2F390831A518E7F660C4EB888DAFE928F871B7F4477F6D91D5EB8B71
Malicious:	false
Preview:	PcmH.........v..f..yf.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$..........Y.p.:.........S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K.....E..X.N....u..IV..R......D..S......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...O...T...W...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.957264907751996
Encrypted:	false
SSDEEP:	384:jeowfbgEfIaMLf6svxX9nCCX9FX9R/QPIYM7Y7:jF68xX9fX9FX9R/QPIN07
MD5:	F4B84E283123B025A90BBDE33E2080FD
SHA1:	CC57BFD02228BE76C6E08BDE16996FA992FF0E54
SHA-256:	93F9EB492B6952D8C7AA1EF1EE5A901234BA1FD2D5EF58D24E1FAEF597EA8E02
SHA-512:	ABC92965BF97C37A614B556D2219D06E63687777D79DF5FFB4B5D447DD138C160E5A45CAB76A2353D758AD62960F2E58745F0523881FF6C0EA4CCBCD7ED40002
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="23.9.10.8817" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="23.9.10.8817" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.299422979179708
Encrypted:	false
SSDEEP:	96:EWvuWWzeV+WwQXqmL4McHoQ77QU3n8hIYX:RLJ9UMcIQnQc8f
MD5:	AC69BD47129E307E357F2702E62CBB01
SHA1:	9F5EE25DFFC8DB2EBF4C5F3D8FD4D3D11AAFA8E5
SHA-256:	DD325D71EE60DB66BF36ADE83BE95DA6665C78EACD05BA854F15D8D3CD44D8A0
SHA-512:	44E3AA107D2802F1930F5A6D134F441391E2BF12ABBD571CBE0E98D98076267C28B505D5EFC1AA4014111325D5416F27859183D716EA37AE2BB3AA50AF6081A2
Malicious:	false
Preview:	PcmH...........5.$..#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$..........Y.p.:.......'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%23.9.10.8817....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.130181995746891
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AKvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AGGVETDTo
MD5:	6DA6DC34636435E9C2BD1B5FF79091B5
SHA1:	61B6D8C16330FE9063F041BCC025C10DE82D876B
SHA-256:	98D4EDAA86468540D2D17EF17A9BCD7224B128099A51A8F92A65A88950DCB44C
SHA-512:	0BB929107ECFA257DFB2FF7B37955D8C2402287E989C015632A6292362858667A398AD0563103C1324A29585A8177AAA4BCE3C57D867735E40D2CC5C996BD5B9
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5260
Entropy (8bit):	4.261752626524162
Encrypted:	false
SSDEEP:	96:hR8aP+RxU9L2eV+Ww7DkFcZJ40PJ/5r6bngnsRR:YRxUNJJ9FeW0abQc
MD5:	FCAD23892B43E0AB2FD7342EF7A641DE
SHA1:	24D07CD3A090761CE6D128630154CFA03100BBAB
SHA-256:	09572EF535C2ED1C59573F7E935489D9E6FDB46576D839CA8EDF3D4D92C6D0EC
SHA-512:	92865DC759110823B9B8B750EF15473A5A55083392D381B6469A369E8B78AC28F69AC9260D1407B94F3B6228DED400744505D8C4480EDB221FD4B39A4E13465F
Malicious:	false
Preview:	PcmH........s.'.,.+4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$..........Y.p.:.......[.......................z..w.....[~31.X......E..X.....s".I...R....C.........y..&..d."....B(.....#...^.ie...u&...F.....Ey)....+.`...m,......;../............... ...$...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(.......<...(...L.......t.......\|...(...............................(.......................(...$.......L.......T...(...d...................(.......................(...............d...........p.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.056583067402645
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AovSkcyMQcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AkHMQGQAXRTFgTo
MD5:	1FB3A39063C9FBBC9252D1224CF8C89D
SHA1:	0F0622EB6205F515651E055C17D0067A94308721
SHA-256:	199C3F5089B07F1FB6CB343180620B2094BCDDA9E1F6A3F41269C56402D98439
SHA-512:	8C70FF2FE2F1935454AA6BB4CE0998DA1ADCBFE7219F1EAEE4688EE86BBC730DE30347F39B9B1413CBD345D1BF786491ED2F79142D9333DBA3A7F0EDC9F48E3A
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6588
Entropy (8bit):	4.213457074896445
Encrypted:	false
SSDEEP:	96:SBHGBICeV+Wwwz8WpT4jVrN6/fTLQAaLBpP2ye5P6Rn6qB/M:9INJDpTWVBG3iLPEq6d
MD5:	C65523145F989E80F9F3045B12453659
SHA1:	760D3198B9D5FC4A5C0D5307F242186FB1DF0498
SHA-256:	525AB23579450F42A24784BC02D7E89874B7D6E82622D260A65AE35F86164E9D
SHA-512:	0A74E9F759774939C7D6FD1280271C7AD15F793DD9FC68627E5A39C38A328D13C477699D998797ECE777DBAE25B77F2954F0B371901B6042668A7A16898718D9
Malicious:	false
Preview:	PcmH........v....X.@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$..........Y.p.:...........}'.d................z..w.....[~31.X......E..X.....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u)...O.&r..Vz,...F.....Ey/...[s.T..<2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......\|...(...............................(.......................(... .......H.......P...(...d...................(.......................(.......................(...0.......X.......`...(...l...................(.......................(...................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.02538862565643
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0A7HMQAXQ3MQTMQRGTDBTo:1YiW4AIBvtI
MD5:	EFA59A7F55AF829C3974A02F30EBE80C
SHA1:	0FABA6763D910D5EE104E3457045C63CCC5BF79B
SHA-256:	3E2D5CC7867AFA23663D5894127CE6E2880D3075773A249B37576EDA5088875A
SHA-512:	72262B09C21DC4A2B2701A5B32C149349FA3107035D5A115EAC4335E3961DCF12A7A867AEFF595C13AA618EA955B604538C0F4E529CB6A76FFF0CB75927CC74D
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.729548910460942
Encrypted:	false
SSDEEP:	48:fQK3QScrg5e6S+9oww7gB7wHzlK1SbDddFfjM2anwbn:fQDScCeV+WwwQwzlMMDrFrMnnEn
MD5:	32094132049CD39606B0EED605D02C31
SHA1:	EB61D76D707E353A4A28618C9D53C60B1C3A111D
SHA-256:	3138FA1E24C467E7822E29A081DF1E985E1A31741A2ECF9E415DC35A81B11CCE
SHA-512:	E5BE9D62D531CDF7E1E7E38E6850CB443CB504B4BD59D064ABA50DDE399CD6B009BE31EA5286A73B8D7ABE285E73AC65AFFCCB9557842C6EE2D2789D07DCE877
Malicious:	false
Preview:	PcmH..........C(...C............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$..........Y.p.:.........S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%23.9.10.8817....................................................MdHd............<...........MdSp ...$....... ...".............n: urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.148278749531531
Encrypted:	false
SSDEEP:	12:MMHdF4XZ8i9o9olxbv5NEgVkP0ApR7vNxW57FpS+iENg49vNxW5NgMiNg49vNxWO:JdFYZ8h9onRigeP0AqvSkcyMQcVSkTo
MD5:	9CE092E164085CE2566F654314BF99DC
SHA1:	ACEF36091EC262A4C42AA5A5B394C71B13B4767E
SHA-256:	6B36DDCE4021FD15C29CF63C7102E60EDFE2627D1B00EF97D0B4DE3051737439
SHA-512:	95BD7F9315DC181DE529D940E697B652651BC9E954E96FBC059998909259A719AF062548C533D24350C25A159CB113F568EB7C622AE3069CE25FB9224EBF02A6
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14612
Entropy (8bit):	5.7120989579670205
Encrypted:	false
SSDEEP:	192:zVh4+mk9qH6FySAU8s8o5yjEadngN8s8oTN2x2QPIlFDLhEDh7BqWoDOe:zVZ9qH6UZUX95QEBX9R/QPIBM7YD1
MD5:	9FEB757DBE94A62646E168836369F0B8
SHA1:	526D5FF270C6F3BE4D9BC88C626DA9785FA925D5
SHA-256:	E73A658E04BFEF390D30DBCAD7867A3A8420BFFFD644BB49F400114AA6D10F27
SHA-512:	CF2FA04F04B665E734423843883F3AEDB3F52645195AC7B992CA23668696369B38B137A76CC67EBBEC3F2A5AA20DB205DE90E8277E7966035331B13E14A8305B
Malicious:	false
Preview:	PcmH.........2.....$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$..........Y.p.:............8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...\|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%.W.."(.v......o....T...t............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%23.9.10.8817........................

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	112936
Entropy (8bit):	5.578736140860222
Encrypted:	false
SSDEEP:	3072:F/SGr3qk54q8sYV7WfUIRTLT7m2o9HuzhJOvP:FIk5GVW/Rnmt8vOvP
MD5:	75F072DB717ADF065F2D4DDD705A2D49
SHA1:	8165093DE1C610B4CD5B301A6237E923170618C2
SHA-256:	3C7DD342A48BDACB6CC05C422AE960D7BAF899593C7A14A075C70F478F17825C
SHA-512:	AE29ECD9CD13694075681790B909EDF50903AA3820CF278889574969D2D954E1001F0BD89DA6D4670BC08CBF0CDFCBD2CFC6FFC27E3BD16E0A6F1FC3F73C1517
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="23.9.10.8817" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.419737839784223
Encrypted:	false
SSDEEP:	48:42ZCDVxQ1gXe6S+9ow87gaW75uvWN1BdwdBUpwrYLU3BJ8h5/Jnw9GUGdLf:42ZseV+Ww8z45uK2dB9YLU3g/xn6GDVf
MD5:	80A23AA3998D8A34661A690176F1D595
SHA1:	733E681A8BB13C52C329100903E5ADD5E978D71A
SHA-256:	9F89FFD3CCD80917DE71298349D70224D28410F240B57E90991469A6B600EDAC
SHA-512:	6115B3E8B985F79AFCFC6A51F6EBC2B557B68F2B18109A212764B79C49E1DA4B45CEC6165094EA13B3257A2EF1371ABEA416F5C1A3A84F3026F2705EF9F93D45
Malicious:	false
Preview:	PcmH...........5.+.,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$..........Y.p.:..........6...................z..w.....[~31.X......E..X.....s".I...R....y..&..d......B(.........O.&r..Vz!...[s.T..<$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...8.......`.......h...(...\|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\manifests\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.0848956029560135
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0A2+vSkcyMQcbEMQcuMQcVSkcf5bdTo:3FYZ8h9o9gI0A2CHMQTMQ3MQGAXTo
MD5:	F94D041A8128BE81C4347CAF6A3C47BF
SHA1:	3285F9ACF70C0E4D34F888C28BD3F693E3DF5909
SHA-256:	91A65BACAD5F7F70BDDC6209ED65DD5C375CEF9F3C289EAB83FD90D622ADF46B
SHA-512:	90199543207CAF9B4501BE7E9509DC9526DAFCD5602AAED700314763021C8F3ED06D93A31A90A34CB19D4FB7184AA7D154B197F9E535657AEB9EB872DA377A41
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505299402844754
Encrypted:	false
SSDEEP:	1536:0g1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkg4T0HMc7Jxc:NhbNDxZGXfdHrX7rAc6myJkg4T0H/A
MD5:	DC615E9D8EC81CBF2E2452516373E5A0
SHA1:	EC83D37A4F45CAEB07B1605324D0315F959452E9
SHA-256:	E9AB064ED381C29A3930F75CA3E05605C6EE07F30A69C043F576A5461DE3BAFC
SHA-512:	82FE00447FB9785264DFB8032399ADF6D33D91D71058212D252742C9E5FD54F5A52F6BAF4FB05E95F9A4055057C60A33A7C1C642F18A6A4E045B49BE88FA5D9F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: SSA-taxID-040071.exe, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ScreenConnect.ClientSetup.exe, Detection: malicious, Browse Filename: ScreenConnect.ClientSetup.exe, Detection: malicious, Browse Filename: Facture_160087511.html, Detection: malicious, Browse Filename: SSA-taxID-351788.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: mscenter.Client.exe, Detection: malicious, Browse Filename: mscenter.Client.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@..................................t....@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.318400837211405
Encrypted:	false
SSDEEP:	1536:0Ai+pmi/djqbv8DtYQ4RE+TC3l/ibU37DIx4:0Upmi1YQb1l3X
MD5:	10DBA57F22A6AB4039330000570F39F8
SHA1:	B8B5C65A89256177DA802C4C9CBD11B013221730
SHA-256:	9BD8D15759F83D99EDD1F2617D59A94E1C2BB4BD7C4977958F5D5F22C5A7C469
SHA-512:	38230B63A4630145608F619D75CA3115C05AB0338FB57566E012DF1BD157123A670A37AE0FEA92351AB7352319A5AF29F9DB3F8BB14962F3F0DE3A4F5A5B754C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SSA-taxID-040071.exe, Detection: malicious, Browse Filename: setup.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ScreenConnect.ClientSetup.exe, Detection: malicious, Browse Filename: ScreenConnect.ClientSetup.exe, Detection: malicious, Browse Filename: Facture_160087511.html, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: SSA-taxID-351788.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: mscenter.Client.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............"...0.............6.... ........@.. ....................... ............@.....................................O.......,............... )..........(...8............................................ ............... ..H............text...<.... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o*...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.850192336318162
Encrypted:	false
SSDEEP:	1536:GxIh+Sflv4V/bBI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7xk7NxGC:Em9CukLdtkL
MD5:	C333D3A6EEB74E4D76C3B9E0F6BFD04C
SHA1:	A39E2643E8DBD2097829E0B08938726557CB8E36
SHA-256:	998D7A0CD6B1A837489E55E99CB992088B9FDE220A1025346A461849E1F50D22
SHA-512:	58CC7741EBE1AADA93FD82A3E0A571A9A1AA3E400C46E7CDDDEF876D74F4FBBCBAE4293AC556B3823E8DC977E7CE72337A16C2D48EAB0AA52B736412AE43C634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..@..........B^... ...`....@.. .......................`.......<....@..................................]..O....`.. ............... )...@......<]..8............................................ ............... ..H............text...H>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B................#^......H...........1...................\........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}C....s....}B...~@...%-.&~?.....<...s ...%.@.......?...s ........@...s!...}D......A...s"..........(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t..........o$.......o%.......

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	531456
Entropy (8bit):	6.031735419537473
Encrypted:	false
SSDEEP:	6144:ZPpB0+E5A976t5puf9NTh/k4dKRYJUYg7N+earZ5Ghfn55AJ6m/JaXAQKx4kEYYo:dpq+Ezuf9N0RYJZPUI6
MD5:	B319407E807BE1A49E366F7F8EA7EE2A
SHA1:	B12197A877FB7E33B1CB5BA11B0DA5CA706581BA
SHA-256:	761B7E50BAA229E8AFCD9A50990D7F776DDB5ED1EA5FBB131C802E57CF918742
SHA-512:	DC497643790DC608DECE9C8FE7264EFEDD13724BD24C9BF28A60D848B405FDDEFB8337A60F3F32BB91518910E02C7A2AAF29FC32F86A464DFCAFA365526BDB7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............../... ...@....... ...............................8....@.................................1/..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................e/......H........2..(.............................................................{9.....{:...V.(;.....}9.....}:......0..A........ur.......4.,/(<....{9....{9...o=...,.(>....{:....{:...o?...... ... )UU.Z(<....{9...o@...X )UU.Z(>....{:...oA...X...0..b........r...p......%..{9......%qu....u...-.&.+...u...oB....%..{:......%qv....v...-.&.+...v...oB....(C.....{D.....{E...V.(;.....}D.....}E....0..A........uw.......4.,/(<....{D....{D...o=...,.(>....{E....{E...o?...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1716224
Entropy (8bit):	6.635479721420864
Encrypted:	false
SSDEEP:	24576:ZSjm7Fj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUw:Sm7JkGYYpT0+TFiH7efP
MD5:	29454A0CB83F28C24805E9A70E53444A
SHA1:	334202965B07AB69F08B16FED0EE6C7274463556
SHA-256:	998CC3F9AF5BD41CCF0F9BE86192BBE20CDEC08A6FF73C1199E1364195A83E14
SHA-512:	62790920974A2F1B018D466AE3E3B5100006A3C8013F43BDB04AF7074CFE5D992CAAEB610DE2B1B72FF0E4ACF8762DB1513A4A0CF331F9A340AE0CE53C3BE895
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............" ..0..(...........F... ...`....... ..............................lc....@..................................E..O....`.............................. E..8............................................ ............... ..H............text...(&... ...(.................. ..`.rsrc........`.....................@..@.reloc..............................@..B.................E......H.......$...L...........p...0....D........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....f.{......(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.....*....0..L.......

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	587040
Entropy (8bit):	6.166636022526366
Encrypted:	false
SSDEEP:	12288:npu96mzdjnwbrYQySjbs03fG+Yg2PgG7x:CpjpSjq77x
MD5:	5DEC65C4047DE914C78816B8663E3602
SHA1:	8807695EE8345E37EFEC43CBC0874277ED9B0A66
SHA-256:	71602F6B0B27C8B7D8AD624248E6126970939EFFDE785EC913ACE19052E9960E
SHA-512:	27B5DCB5B0AEADF246B91A173D06E5E8D6CF2CD19D86CA358E0A85B84CD9D8F2B26372EF34C3D427F57803D90F2E97CF59692C80C268A71865F08FC0E7CE42D1
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 7%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...twP..........."...0.................. ........@.. .......................@.......a....@.....................................O....................... )... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........7......................`.........................................{F.....{G...V.(H.....}F.....}G......0..A........u,.......4.,/(I....{F....{F...oJ...,.(K....{G....{G...oL...... }.o )UU.Z(I....{F...oM...X )UU.Z(K....{G...oN...X...0..b........r...p......%..{F......%q/..../...-.&.+.../...oO....%..{G......%q0....0...-.&.+...0...oO....(P.....{Q.....{R...V.(H.....}Q.....}R....0..A........u1.......4.,/(I....{Q....{Q...oJ...,.(K....{R....{R...oL...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\ScreenConnect.WindowsClient.exe:Zone.Identifier

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.5759745825926155
Encrypted:	false
SSDEEP:	3072:NfVfH24qg0+UkqVk9kkkkkkHEkkkNikkAkkkkkkkkpkkAkKMi7stGzHqcyzdWFDm:H+a0+UkqVk9kkkkkkHEkkkNikkAkkkku
MD5:	6BC9611D5B6CEE698149A18D986547A8
SHA1:	F36AB74E4E502FDAF81E101836B94C91D80CB8EA
SHA-256:	17377A52EEAE11E8EE01EB629D6A60C10015AD2BB8BC9768E5C8E4B6500A15ED
SHA-512:	3F23670D0BA150DE19A805DB6BEB6EED8538BBAD6FBE3CC21D17D738A43CF411C679A23CEA11549E69BE0321E672F740791D40E92498AEF9D1F8650743EE85EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.B..........." ..0.................. ... ....... .......................`.......0....@.................................5...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H........................L................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~....%-.&~......\...s....%.....(...+(...+o....o........0..s.......~ .....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.....(!....5..............s"....=.....0...........~....%-.&~......_...s#...%.....(...+..~....%-.&~......`...s%...%.....(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	48951
Entropy (8bit):	4.764447249091755
Encrypted:	false
SSDEEP:	768:jjhcIEFtl7CWQNzSB3CFLI0pDplrd5UVXWFhj39CwWLVhuK81htvrKetEpGcWITc:jjhcpFt9QNzi3CFLI0Vplrd5UVXWFhjF
MD5:	3E83A3AA62C5FF54ED98E27B3FBECF90
SHA1:	96D8927C870A74A478864240B3ACE94AD543DFB8
SHA-256:	2D88B97D28BE01ABCA4544C6381A4370C1A1CE05142C176742F13B44889DDF90
SHA-512:	EA9D05A4AA1EE5CCCC61C4F5E8994EFBA9EFFF0549B69577BEF1F2A22CCE908739124EFF1E0DB5CFDD69E077AD2D7CDB1307DE92D79673C9309EE621CB139956
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I..-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..........5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z....V".........

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\bifwfzz4.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.015709672933714
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv3Uxe/vXbAa5:2dL9hK6E46YPRbJRI4UevH
MD5:	DB9F2015FE07C21D498B781A10268EF7
SHA1:	7FB53A197F1FAC2F57EB2E47BA379E33CC5B2569
SHA-256:	6B8C841CE97582F0CF98BA5B75A89A2A9116854268EB4A9FA26365901F2B3888
SHA-512:	90723817C7DA19CD855695EA624D747F0E7E5E3652DFF1ADA939FEF6005D0434A69B11E8BFD390CC1D1FD05E6398846B28C269D73BC7FC2B56427A199BEB896B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a56%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\dy0wzbk0.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.016972707243389
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv3o/vXbAa3xT:2dL9hK6E46YPRbJRI4evH
MD5:	2DE7477DFFD462CA050B63CFE5C80EB0
SHA1:	2A6023B45B1542AF4D6CF9A4C1B2AB3F4868C1A4
SHA-256:	4918AF9F275D74A668CC2A04E89FBC6DFF2DF509D3DFA36CD8F133AB3DA6DEE3
SHA-512:	C3E22C94E6B395B8A0C17F6187FBFEAA917B42E12FB0C6CBB8BBAFF65918AA80E900025209A2EA8AC1F263122B54861B0FC7143B453982E7C014BEF8350AFD89
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a55%3a26</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ebm2ti0m.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.016972707243389
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv3Ulv/vXbAa5:2dL9hK6E46YPRbJRI4Ul3vH
MD5:	B496A99C31783C9ECE0DB0CA7C02702B
SHA1:	59F65CD98BDD4D510D8F637CFFE49134581D81F3
SHA-256:	4BB48DDF8C6FC113F4858499CB00CBC1C6C644AEFEA8D15580D95B9B3805322F
SHA-512:	1E7D58F10A556C2A45E6E7E3D39DF015344452A14C43256EC7433797170FD10E1134547C43F6A732A22F5427C47308B4B4EAA0A7415D8C95D97FB6D8FC8BAFC9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a56%3a25</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\f21zdeor.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.01295815075519
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv36/vXbAa3xT:2dL9hK6E46YPRbJRI4QvH
MD5:	F588B7F2A02479D2F0A6970D22123885
SHA1:	11A7FE312FD1F94BFE05B57AEEDEF9F0F0E790BE
SHA-256:	4E19CF5BC620347ADEC849EF5FF5E72165D85E3C5A3BE60772BD7DAF1D3FFBE2
SHA-512:	E7472F6DA5833130408A77A8DF17F604608C2D5F84F8ADE8F7768A2BEAD5A335C037D29AB04079948F02E4BAE953211DBF46343B3F80E1A3E80F4B93A982634A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a55%3a24</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\fzfeijmj.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.015674995812113
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv375gg/vXbA2:2dL9hK6E46YPRbJRI4VFvH
MD5:	C484B8FE76B37F06BE29A02EA3747FC9
SHA1:	0DFA8F2DDEDFBBAE1B5862DA30246ADBDB61E00A
SHA-256:	A42E8E8421432A87D998999B71153E07795981D5F8101ADD2D0E8C890C28CC3A
SHA-512:	24A9DB7EFE8643B6B3F9A19EFC0F53054823D53D09948644A50A9E5CB821ED53D952D1F7BED369D32C8A1C8EC2B724DC920021AC688CA87F5C7FA47E56B3D4A6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a55%3a43</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\lflevkor.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.016441459086825
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv3/Qv/vXbAa5:2dL9hK6E46YPRbJRI4/Q3vH
MD5:	A72C3A68DAD3BF44938C4F40666FDC80
SHA1:	A060A8B539EAB549580AE7572AC3DAB078562F51
SHA-256:	EDBC339BDE768D570AA1C37943D66E6DF4B5FEED9A188917C325EBCDBDDD4F58
SHA-512:	15024F0865D292C63D2C65D73446C964901EC771844CAAE031D30545DE817F82BC9AB48E82675093F9E97C01EFF2F1B547346559515830C1386C66371E9CDBAC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a55%3a35</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\lvpqrc3j.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.014619804943657
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv3wQv/vXbAa5:2dL9hK6E46YPRbJRI4wGvH
MD5:	4BA3384BC02414AE5CEC65D4BA15B62A
SHA1:	4364D2313DAB5247EB898EB558E5EDA4D6CA870C
SHA-256:	85C89FBD3BE7474A80CD70F3E20DB8EA74633555FEAAFA300732D3FCC19661FC
SHA-512:	6AD47B99929DFB54D7C067E30419CFDCED047A04ECCC31708BD5408E70571F215E04274EC39615D50D0B7A8D69158B8365DBF91E776963D87831F8A0DE612C27
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a57%3a07</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.01295815075519
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv36/vXbAa3xT:2dL9hK6E46YPRbJRI4QvH
MD5:	F588B7F2A02479D2F0A6970D22123885
SHA1:	11A7FE312FD1F94BFE05B57AEEDEF9F0F0E790BE
SHA-256:	4E19CF5BC620347ADEC849EF5FF5E72165D85E3C5A3BE60772BD7DAF1D3FFBE2
SHA-512:	E7472F6DA5833130408A77A8DF17F604608C2D5F84F8ADE8F7768A2BEAD5A335C037D29AB04079948F02E4BAE953211DBF46343B3F80E1A3E80F4B93A982634A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a55%3a24</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\xlluc3ct.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.014619804943657
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlb2BEqyI9mv3x/vXbAa3xT:2dL9hK6E46YPRbJRI4ZvH
MD5:	E4BBC6C9286F5A0E3C07F7B312E31D09
SHA1:	F7F664A5149CD4ADA83C504B493FBDEC6BA6CFA4
SHA-256:	1C86EA2B3188BF826BC7371C470A38BDB9EB86D6601AE91B88AE55CBDBB3322B
SHA-512:	CA5D7F90E6B271998868ED5A774F05553D85DB5131FAA3946A772710F924350B619D51F0DBC63C5F7C277868E5DB4C36141A09533206EB23E6AA18D3EAE03D07
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ci40ys-relay.screenconnect.com=147.28.128.252-24%2f04%2f2024%2000%3a55%3a30</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	6.0424578422545006
Encrypted:	false
SSDEEP:	1536:7Sx8zDzYn1DruJCelbgZfBQeV8lsNEbgO:7Sx8z/uNruJv9wQeVXK
MD5:	22AF3A23BD30484514CDACF67C5B3810
SHA1:	E92A4EAEE9D896964DE541CE2F01C2404B638258
SHA-256:	7C5442121DBA2A30AB9579EC08E111DED372CF9CF90FB3256F273980B975AFA9
SHA-512:	95E40B27E90FCE7CA85E76AFBBC16EB62B4BB977664702B987DE2EB2294E6FE9E6DF5610EC7B2362C2C68493313F30FBBCBD3446DBE8AE2FA47B89407F5D5936
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h............" ..0.............B.... ... ....... .......................`.......l....@.....................................O.... .......................@......D...8............................................ ............... ..H............text...h.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................!.......H........f................................................................(....^.(.......\|...%...}....:.(......}....:.(......}....:.(......}.....~)...%-.&~(.....f...s....%.)...(...+vs....%.}M.........s....(........0...........s....}.....s....}...........}.......($.....}.....(....&.('..........s....o.....('...~...%-.&~(.....g...s....%.*...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s;...}....... ..6........s....s;...}.....(%...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1662
Entropy (8bit):	5.368796786510097
Encrypted:	false
SSDEEP:	48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
MD5:	F133699E2DFF871CA4DC666762B5A7FF
SHA1:	185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
SHA-256:	9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
SHA-512:	8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\GWVHVA9M.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (644), with CRLF line terminators
Category:	dropped
Size (bytes):	15170
Entropy (8bit):	3.8092636799708
Encrypted:	false
SSDEEP:	96:t6BKWAdPG+EJExI9hO/BBaOy0lxAdPG+EJExI9h21gn/J8AkVFiAdPG+EJExI9hM:SSUEu9I/aWSUEu986rSUEu9O0LEv
MD5:	C77B8837F2E12B9BFD6007C30CABEFDD
SHA1:	D3CBD784C3C5D72590B52AF1BD8D0837B3F1581B
SHA-256:	3396B2A9AC2ED1F8204D9143A3DC027A9766DC551AB9FE7CC9B7822B357098AB
SHA-512:	4AA2205F3425EF25C2E216CB1C6FF160B4F81F6DAE2B1FE4B720D7234240D8931F6127DC6A0DD8D7D38F49B83E19E870FE5CDD1D7492F2B9DFA87FCEF59367C4
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.m.a.r.c.i.l.e.6.1...s.c.r.e.e.n.c.o.n.n.e.c.t...c.o.m./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.i.n.s.t.a.n.c.e.-.c.i.4.0.y.s.-.r.e.l.a.y...s.c.r.e.e.n.c.o.n.n.e.c.t...c.o.m.&.

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.5759745825926155
Encrypted:	false
SSDEEP:	3072:NfVfH24qg0+UkqVk9kkkkkkHEkkkNikkAkkkkkkkkpkkAkKMi7stGzHqcyzdWFDm:H+a0+UkqVk9kkkkkkHEkkkNikkAkkkku
MD5:	6BC9611D5B6CEE698149A18D986547A8
SHA1:	F36AB74E4E502FDAF81E101836B94C91D80CB8EA
SHA-256:	17377A52EEAE11E8EE01EB629D6A60C10015AD2BB8BC9768E5C8E4B6500A15ED
SHA-512:	3F23670D0BA150DE19A805DB6BEB6EED8538BBAD6FBE3CC21D17D738A43CF411C679A23CEA11549E69BE0321E672F740791D40E92498AEF9D1F8650743EE85EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.B..........." ..0.................. ... ....... .......................`.......0....@.................................5...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H........................L................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~....%-.&~......\...s....%.....(...+(...+o....o........0..s.......~ .....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.....(!....5..............s"....=.....0...........~....%-.&~......_...s#...%.....(...+..~....%-.&~......`...s%...%.....(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.148278749531531
Encrypted:	false
SSDEEP:	12:MMHdF4XZ8i9o9olxbv5NEgVkP0ApR7vNxW57FpS+iENg49vNxW5NgMiNg49vNxWO:JdFYZ8h9onRigeP0AqvSkcyMQcVSkTo
MD5:	9CE092E164085CE2566F654314BF99DC
SHA1:	ACEF36091EC262A4C42AA5A5B394C71B13B4767E
SHA-256:	6B36DDCE4021FD15C29CF63C7102E60EDFE2627D1B00EF97D0B4DE3051737439
SHA-512:	95BD7F9315DC181DE529D940E697B652651BC9E954E96FBC059998909259A719AF062548C533D24350C25A159CB113F568EB7C622AE3069CE25FB9224EBF02A6
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	6.0424578422545006
Encrypted:	false
SSDEEP:	1536:7Sx8zDzYn1DruJCelbgZfBQeV8lsNEbgO:7Sx8z/uNruJv9wQeVXK
MD5:	22AF3A23BD30484514CDACF67C5B3810
SHA1:	E92A4EAEE9D896964DE541CE2F01C2404B638258
SHA-256:	7C5442121DBA2A30AB9579EC08E111DED372CF9CF90FB3256F273980B975AFA9
SHA-512:	95E40B27E90FCE7CA85E76AFBBC16EB62B4BB977664702B987DE2EB2294E6FE9E6DF5610EC7B2362C2C68493313F30FBBCBD3446DBE8AE2FA47B89407F5D5936
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h............" ..0.............B.... ... ....... .......................`.......l....@.....................................O.... .......................@......D...8............................................ ............... ..H............text...h.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................!.......H........f................................................................(....^.(.......\|...%...}....:.(......}....:.(......}....:.(......}.....~)...%-.&~(.....f...s....%.)...(...+vs....%.}M.........s....(........0...........s....}.....s....}...........}.......($.....}.....(....&.('..........s....o.....('...~...%-.&~(.....g...s....%.*...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s;...}....... ..6........s....s;...}.....(%...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	5.0848956029560135
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0A2+vSkcyMQcbEMQcuMQcVSkcf5bdTo:3FYZ8h9o9gI0A2CHMQTMQ3MQGAXTo
MD5:	F94D041A8128BE81C4347CAF6A3C47BF
SHA1:	3285F9ACF70C0E4D34F888C28BD3F693E3DF5909
SHA-256:	91A65BACAD5F7F70BDDC6209ED65DD5C375CEF9F3C289EAB83FD90D622ADF46B
SHA-512:	90199543207CAF9B4501BE7E9509DC9526DAFCD5602AAED700314763021C8F3ED06D93A31A90A34CB19D4FB7184AA7D154B197F9E535657AEB9EB872DA377A41
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505299402844754
Encrypted:	false
SSDEEP:	1536:0g1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkg4T0HMc7Jxc:NhbNDxZGXfdHrX7rAc6myJkg4T0H/A
MD5:	DC615E9D8EC81CBF2E2452516373E5A0
SHA1:	EC83D37A4F45CAEB07B1605324D0315F959452E9
SHA-256:	E9AB064ED381C29A3930F75CA3E05605C6EE07F30A69C043F576A5461DE3BAFC
SHA-512:	82FE00447FB9785264DFB8032399ADF6D33D91D71058212D252742C9E5FD54F5A52F6BAF4FB05E95F9A4055057C60A33A7C1C642F18A6A4E045B49BE88FA5D9F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@..................................t....@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	531456
Entropy (8bit):	6.031735419537473
Encrypted:	false
SSDEEP:	6144:ZPpB0+E5A976t5puf9NTh/k4dKRYJUYg7N+earZ5Ghfn55AJ6m/JaXAQKx4kEYYo:dpq+Ezuf9N0RYJZPUI6
MD5:	B319407E807BE1A49E366F7F8EA7EE2A
SHA1:	B12197A877FB7E33B1CB5BA11B0DA5CA706581BA
SHA-256:	761B7E50BAA229E8AFCD9A50990D7F776DDB5ED1EA5FBB131C802E57CF918742
SHA-512:	DC497643790DC608DECE9C8FE7264EFEDD13724BD24C9BF28A60D848B405FDDEFB8337A60F3F32BB91518910E02C7A2AAF29FC32F86A464DFCAFA365526BDB7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............../... ...@....... ...............................8....@.................................1/..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................e/......H........2..(.............................................................{9.....{:...V.(;.....}9.....}:......0..A........ur.......4.,/(<....{9....{9...o=...,.(>....{:....{:...o?...... ... )UU.Z(<....{9...o@...X )UU.Z(>....{:...oA...X...0..b........r...p......%..{9......%qu....u...-.&.+...u...oB....%..{:......%qv....v...-.&.+...v...oB....(C.....{D.....{E...V.(;.....}D.....}E....0..A........uw.......4.,/(<....{D....{D...o=...,.(>....{E....{E...o?...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.130181995746891
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AKvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AGGVETDTo
MD5:	6DA6DC34636435E9C2BD1B5FF79091B5
SHA1:	61B6D8C16330FE9063F041BCC025C10DE82D876B
SHA-256:	98D4EDAA86468540D2D17EF17A9BCD7224B128099A51A8F92A65A88950DCB44C
SHA-512:	0BB929107ECFA257DFB2FF7B37955D8C2402287E989C015632A6292362858667A398AD0563103C1324A29585A8177AAA4BCE3C57D867735E40D2CC5C996BD5B9
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1716224
Entropy (8bit):	6.635479721420864
Encrypted:	false
SSDEEP:	24576:ZSjm7Fj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUw:Sm7JkGYYpT0+TFiH7efP
MD5:	29454A0CB83F28C24805E9A70E53444A
SHA1:	334202965B07AB69F08B16FED0EE6C7274463556
SHA-256:	998CC3F9AF5BD41CCF0F9BE86192BBE20CDEC08A6FF73C1199E1364195A83E14
SHA-512:	62790920974A2F1B018D466AE3E3B5100006A3C8013F43BDB04AF7074CFE5D992CAAEB610DE2B1B72FF0E4ACF8762DB1513A4A0CF331F9A340AE0CE53C3BE895
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............" ..0..(...........F... ...`....... ..............................lc....@..................................E..O....`.............................. E..8............................................ ............... ..H............text...(&... ...(.................. ..`.rsrc........`.....................@..@.reloc..............................@..B.................E......H.......$...L...........p...0....D........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....f.{......(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.....*....0..L.......

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1982
Entropy (8bit):	5.056583067402645
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0AovSkcyMQcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AkHMQGQAXRTFgTo
MD5:	1FB3A39063C9FBBC9252D1224CF8C89D
SHA1:	0F0622EB6205F515651E055C17D0067A94308721
SHA-256:	199C3F5089B07F1FB6CB343180620B2094BCDDA9E1F6A3F41269C56402D98439
SHA-512:	8C70FF2FE2F1935454AA6BB4CE0998DA1ADCBFE7219F1EAEE4688EE86BBC730DE30347F39B9B1413CBD345D1BF786491ED2F79142D9333DBA3A7F0EDC9F48E3A
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.318400837211405
Encrypted:	false
SSDEEP:	1536:0Ai+pmi/djqbv8DtYQ4RE+TC3l/ibU37DIx4:0Upmi1YQb1l3X
MD5:	10DBA57F22A6AB4039330000570F39F8
SHA1:	B8B5C65A89256177DA802C4C9CBD11B013221730
SHA-256:	9BD8D15759F83D99EDD1F2617D59A94E1C2BB4BD7C4977958F5D5F22C5A7C469
SHA-512:	38230B63A4630145608F619D75CA3115C05AB0338FB57566E012DF1BD157123A670A37AE0FEA92351AB7352319A5AF29F9DB3F8BB14962F3F0DE3A4F5A5B754C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............"...0.............6.... ........@.. ....................... ............@.....................................O.......,............... )..........(...8............................................ ............... ..H............text...<.... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o*...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	587040
Entropy (8bit):	6.166636022526366
Encrypted:	false
SSDEEP:	12288:npu96mzdjnwbrYQySjbs03fG+Yg2PgG7x:CpjpSjq77x
MD5:	5DEC65C4047DE914C78816B8663E3602
SHA1:	8807695EE8345E37EFEC43CBC0874277ED9B0A66
SHA-256:	71602F6B0B27C8B7D8AD624248E6126970939EFFDE785EC913ACE19052E9960E
SHA-512:	27B5DCB5B0AEADF246B91A173D06E5E8D6CF2CD19D86CA358E0A85B84CD9D8F2B26372EF34C3D427F57803D90F2E97CF59692C80C268A71865F08FC0E7CE42D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 7%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...twP..........."...0.................. ........@.. .......................@.......a....@.....................................O....................... )... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........7......................`.........................................{F.....{G...V.(H.....}F.....}G......0..A........u,.......4.,/(I....{F....{F...oJ...,.(K....{G....{G...oL...... }.o )UU.Z(I....{F...oM...X )UU.Z(K....{G...oN...X...0..b........r...p......%..{F......%q/..../...-.&.+.../...oO....%..{G......%q0....0...-.&.+...0...oO....(P.....{Q.....{R...V.(H.....}Q.....}R....0..A........u1.......4.,/(I....{Q....{Q...oJ...,.(K....{R....{R...oL...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	5.02538862565643
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0A7HMQAXQ3MQTMQRGTDBTo:1YiW4AIBvtI
MD5:	EFA59A7F55AF829C3974A02F30EBE80C
SHA1:	0FABA6763D910D5EE104E3457045C63CCC5BF79B
SHA-256:	3E2D5CC7867AFA23663D5894127CE6E2880D3075773A249B37576EDA5088875A
SHA-512:	72262B09C21DC4A2B2701A5B32C149349FA3107035D5A115EAC4335E3961DCF12A7A867AEFF595C13AA618EA955B604538C0F4E529CB6A76FFF0CB75927CC74D
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="23.9.10.8817" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="23.9.10.8817" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
Category:	dropped
Size (bytes):	17866
Entropy (8bit):	5.957264907751996
Encrypted:	false
SSDEEP:	384:jeowfbgEfIaMLf6svxX9nCCX9FX9R/QPIYM7Y7:jF68xX9fX9FX9R/QPIN07
MD5:	F4B84E283123B025A90BBDE33E2080FD
SHA1:	CC57BFD02228BE76C6E08BDE16996FA992FF0E54
SHA-256:	93F9EB492B6952D8C7AA1EF1EE5A901234BA1FD2D5EF58D24E1FAEF597EA8E02
SHA-512:	ABC92965BF97C37A614B556D2219D06E63687777D79DF5FFB4B5D447DD138C160E5A45CAB76A2353D758AD62960F2E58745F0523881FF6C0EA4CCBCD7ED40002
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="23.9.10.8817" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="23.9.10.8817" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsClient.exe:Zone.Identifier

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.850192336318162
Encrypted:	false
SSDEEP:	1536:GxIh+Sflv4V/bBI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7xk7NxGC:Em9CukLdtkL
MD5:	C333D3A6EEB74E4D76C3B9E0F6BFD04C
SHA1:	A39E2643E8DBD2097829E0B08938726557CB8E36
SHA-256:	998D7A0CD6B1A837489E55E99CB992088B9FDE220A1025346A461849E1F50D22
SHA-512:	58CC7741EBE1AADA93FD82A3E0A571A9A1AA3E400C46E7CDDDEF876D74F4FBBCBAE4293AC556B3823E8DC977E7CE72337A16C2D48EAB0AA52B736412AE43C634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..@..........B^... ...`....@.. .......................`.......<....@..................................]..O....`.. ............... )...@......<]..8............................................ ............... ..H............text...H>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B................#^......H...........1...................\........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}C....s....}B...~@...%-.&~?.....<...s ...%.@.......?...s ........@...s!...}D......A...s"..........(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t..........o$.......o%.......

C:\Users\user\AppData\Local\Temp\Deployment\7MK1B1AL.8X2\77AVXK2Q.JNH\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\EBRQWVRV.QGM\L491RQB0.EZ7.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
Category:	dropped
Size (bytes):	112936
Entropy (8bit):	5.578736140860222
Encrypted:	false
SSDEEP:	3072:F/SGr3qk54q8sYV7WfUIRTLT7m2o9HuzhJOvP:FIk5GVW/Rnmt8vOvP
MD5:	75F072DB717ADF065F2D4DDD705A2D49
SHA1:	8165093DE1C610B4CD5B301A6237E923170618C2
SHA-256:	3C7DD342A48BDACB6CC05C422AE960D7BAF899593C7A14A075C70F478F17825C
SHA-512:	AE29ECD9CD13694075681790B909EDF50903AA3820CF278889574969D2D954E1001F0BD89DA6D4670BC08CBF0CDFCBD2CFC6FFC27E3BD16E0A6F1FC3F73C1517
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="23.9.10.8817" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.368595908512052
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ScreenConnect.Client.exe
File size:	86'304 bytes
MD5:	88a8d150f1a63302ddc2d5114cfa5df2
SHA1:	0bf2abb33b7fda9ea7a96b68f784684b975e6b92
SHA256:	37fcb2df95b2ba1bc601c6140b1d415ba362ea67834bc13d1eaebbb69a1e5f68
SHA512:	47c96a89935f1c0228e87289d0449e9a27a72ec8abec98890f6d9ec483dd1b61b863fee455f6038dc8bc6a794ba0374ba048ad582950a791e3442f7ea5475de9
SSDEEP:	1536:+azWlKzJVcNp++yQNS6xNNCT2l8NE8llbpTaCJRpsWr6cdaQTJSvYYS7Q8x6Eg:yFNpo6rIKlUE8fbkqRfbaQlaYYSy
TLSH:	D9836C13B5D18475E8B30D3118B1D9B4993F7E124E548EAB2398427E0F352D1AE3AE7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ll..-...-...-..Q....-..Q....-..Q....-..eV...-..eV...-..eV...-...U...-...-...-..kV...-..kV...-..kV...-..Rich.-.................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014ba
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6377E339 [Fri Nov 18 19:55:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7631a79a9071099fa4803e1c4c5df207

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F7C28693EBAh
jmp 00007F7C2869396Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040B058h]
push dword ptr [ebp+08h]
call dword ptr [0040B054h]
push C0000409h
call dword ptr [0040B05Ch]
push eax
call dword ptr [0040B060h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040B064h]
test eax, eax
je 00007F7C28693AF7h
push 00000002h
pop ecx
int 29h
mov dword ptr [00411880h], eax
mov dword ptr [0041187Ch], ecx
mov dword ptr [00411878h], edx
mov dword ptr [00411874h], ebx
mov dword ptr [00411870h], esi
mov dword ptr [0041186Ch], edi
mov word ptr [00411898h], ss
mov word ptr [0041188Ch], cs
mov word ptr [00411868h], ds
mov word ptr [00411864h], es
mov word ptr [00411860h], fs
mov word ptr [0041185Ch], gs
pushfd
pop dword ptr [00411890h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00411884h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00411888h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00411894h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [004117D0h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10614	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x11800	0x3920
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xde0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfe40	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfd80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x144	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9d38	0x9e00	98f52c08706d5efc2c2f4ff786fa79c2	False	0.6047270569620253	data	6.5891945477373035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x5d82	0x5e00	45310b75fb33a12c5241211458ecb768	False	0.4187998670212766	OpenPGP Secret Key	4.852409164250541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11000	0x118c	0x800	32b8e1c2f8869f2303f15454d1470e4d	False	0.16357421875	data	1.9966704570134595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x1e0	0x200	aa256780346be2e1ee49ac6d69d2faff	False	0.52734375	data	4.703723272345726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xde0	0xe00	57e04a5cd3ee78cab4a357c5d692e27d	False	0.7806919642857143	data	6.505236561547605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

CRYPT32.dll

CertCreateCertificateContext, CertDeleteCertificateFromStore, CertOpenSystemStoreA, CryptMsgClose, CertFreeCertificateContext, CertAddCertificateContextToStore, CryptQueryObject, CertCloseStore, CryptMsgGetParam

KERNEL32.dll

ReadFile, GetModuleFileNameW, SetFilePointer, LocalAlloc, CreateFileW, Sleep, LoadLibraryA, CloseHandle, GetProcAddress, LocalFree, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:54:50.502902985 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:50.502943993 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:50.503010035 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:50.527895927 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:50.527919054 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.200809956 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.200898886 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.204521894 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.204531908 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.204813957 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.255635023 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.275484085 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.320125103 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719558001 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719583988 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719592094 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719607115 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719641924 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719886065 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.719902992 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.719966888 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.720181942 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.720199108 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.720262051 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.720268965 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.771323919 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.936804056 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.936820984 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.936857939 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.936934948 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.936948061 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.936986923 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.937011003 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.937163115 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.937180042 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.937237978 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.937243938 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.937278032 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.937573910 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.937588930 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.937648058 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.937653065 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.937777042 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.938005924 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.938024998 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.938081026 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:51.938086033 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:51.938204050 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.154011965 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:52.154067039 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:52.154107094 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.154120922 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:52.154134035 CEST	443	49714	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:52.154161930 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.154194117 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.158556938 CEST	49714	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.597723961 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.597765923 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:52.597893953 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.598129988 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:52.598144054 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.037895918 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.040891886 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:53.040911913 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733164072 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733191967 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733236074 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733274937 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:53.733292103 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733319998 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:53.733325005 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733341932 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:53.733349085 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733371973 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:53.733385086 CEST	443	49716	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:53.733429909 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:53.734966993 CEST	49716	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:58.844716072 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:58.844770908 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:58.844824076 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:58.845249891 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:58.845261097 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.283401966 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.317868948 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:59.317903042 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.981236935 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.981276035 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.981303930 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.981312037 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.981451988 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:59.981476068 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.981564999 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:59.982726097 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.982749939 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:54:59.982877016 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:54:59.982887983 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.036915064 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.198744059 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.198822021 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.198867083 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.198884010 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.198955059 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.199518919 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.199537992 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.199584007 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.199593067 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.199613094 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.199628115 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.200273991 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.200299025 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.200325012 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.200331926 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.200366974 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.415472031 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.415503979 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.415548086 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.415564060 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.415589094 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.415597916 CEST	443	49725	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.415605068 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.415632963 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.416301966 CEST	49725	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.428253889 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.428292990 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.428369045 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.428704977 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.428710938 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.869607925 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:00.871288061 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:00.871325016 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574510098 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574533939 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574551105 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574629068 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.574668884 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574709892 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574734926 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.574743032 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.574774027 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.574801922 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.791933060 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.791959047 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.792184114 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.792216063 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.792237997 CEST	443	49726	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.792316914 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.793216944 CEST	49726	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.802501917 CEST	49727	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.802562952 CEST	443	49727	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:01.802706957 CEST	49727	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.803147078 CEST	49727	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:01.803160906 CEST	443	49727	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:02.245734930 CEST	443	49727	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:02.247575998 CEST	49727	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:02.247596025 CEST	443	49727	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:02.729594946 CEST	443	49727	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:02.729686022 CEST	443	49727	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:02.729801893 CEST	49727	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:02.730953932 CEST	49727	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:02.736871004 CEST	49728	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:02.736913919 CEST	443	49728	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:02.736985922 CEST	49728	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:02.737271070 CEST	49728	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:02.737284899 CEST	443	49728	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:03.174690962 CEST	443	49728	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:03.176161051 CEST	49728	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:03.176193953 CEST	443	49728	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:03.653736115 CEST	443	49728	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:03.653830051 CEST	443	49728	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:03.653882027 CEST	49728	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:03.655198097 CEST	49728	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:03.661969900 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:03.662009001 CEST	443	49730	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:03.662072897 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:03.662519932 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:03.662533045 CEST	443	49730	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:04.101135015 CEST	443	49730	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:04.146303892 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.205208063 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.205230951 CEST	443	49730	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:05.423398018 CEST	443	49730	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:05.423479080 CEST	443	49730	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:05.423518896 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.529357910 CEST	49730	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.536191940 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.536230087 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:05.536335945 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.536756992 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.536773920 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:05.978384972 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:05.990917921 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:05.990947962 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684261084 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684303999 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684319973 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684446096 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.684464931 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684484959 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.684598923 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684602022 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.684611082 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684633017 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.684696913 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.684696913 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.684706926 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.740046024 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.902569056 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.902601004 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.902779102 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.902818918 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.902843952 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.902857065 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.902872086 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.902977943 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.903177023 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.903207064 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.903242111 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.903248072 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.903342962 CEST	443	49731	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.903379917 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.903379917 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.904028893 CEST	49731	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.917464018 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.917509079 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:06.917587042 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.917912006 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:06.917920113 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:07.355283022 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:07.357412100 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:07.357439995 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.056016922 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.056051016 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.056076050 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.056107998 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.056126118 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.056142092 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.056171894 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.057147980 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.057168961 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.057250977 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.057256937 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.099422932 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.273643017 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.273658991 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.273683071 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.273709059 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.273758888 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.273768902 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.274193048 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.274344921 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.274377108 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.274406910 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.274413109 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.274439096 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.274454117 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.275393009 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.275420904 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.275527000 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.275531054 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.275650978 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.490901947 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.490923882 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.490950108 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.491000891 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.491029978 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.491053104 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.491070986 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.492266893 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.492292881 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.492366076 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.492377996 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.492400885 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.492420912 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.493365049 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.493391991 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.493433952 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.493443966 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.493474960 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.493490934 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.494184971 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.494221926 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.494251966 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.494262934 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.494283915 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.494301081 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.495238066 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.495261908 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.495316029 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.495326042 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.495351076 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.495367050 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.708019972 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.708043098 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.708070040 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.708121061 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.708147049 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.708170891 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.708185911 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.708985090 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.709007978 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.709057093 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.709062099 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.709099054 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.709239006 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.710825920 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.710855961 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.710896015 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.710901976 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.710938931 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.712081909 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.712116003 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.712165117 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.712169886 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.712238073 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.713287115 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.713306904 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.713359118 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.713362932 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.713392973 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.713411093 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.714221954 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.714245081 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.714339972 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.714346886 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.714534998 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.715056896 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.715078115 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.715109110 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.715115070 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.715157986 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.715173006 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.716268063 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.716296911 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.716346025 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.716351986 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.716373920 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.716392994 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.717052937 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.717081070 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.717132092 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.717138052 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.717166901 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.717180967 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.717819929 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.717840910 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.717897892 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.717904091 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.717968941 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.718719006 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.718740940 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.718789101 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.718794107 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.718852997 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.718873978 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.925122976 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925143003 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925167084 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925206900 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.925267935 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.925278902 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925316095 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.925369024 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925390005 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925434113 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.925440073 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.925467014 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.925483942 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.926048040 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.926069021 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.926126957 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.926135063 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.926353931 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.926893950 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.926914930 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.926959991 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.926965952 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.927254915 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.927913904 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.927934885 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.927969933 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.927975893 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.928002119 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.928019047 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.928700924 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.928723097 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.928778887 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.928785086 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929131985 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929161072 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929202080 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.929208994 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929229975 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.929255009 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.929683924 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929707050 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929738998 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.929745913 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.929764032 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.929780960 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.930203915 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.930231094 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.930258036 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.930263042 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.930285931 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.930304050 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.930677891 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.930711031 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.930747986 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.930753946 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.930784941 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.931128025 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.931154966 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.931210041 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.931215048 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.931428909 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.931668997 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.931689024 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.931731939 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.931736946 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.931844950 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.932548046 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.932569027 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.932611942 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.932619095 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.932703972 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.932862043 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.932883978 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.932913065 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.932919025 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.932943106 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.932955980 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.933223963 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.933262110 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.933280945 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.933286905 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.933306932 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.933321953 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.933326960 CEST	443	49732	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.933717012 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.933733940 CEST	49732	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.996925116 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.996969938 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:08.997095108 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.997462034 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:08.997473001 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:09.435190916 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:09.437072992 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:09.437088966 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.136507034 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.136545897 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.136560917 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.136670113 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.136682034 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.136748075 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.137458086 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.137473106 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.137506962 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.137511015 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.137532949 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.177541018 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.355007887 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.355032921 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.355093956 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.355106115 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.355148077 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.355818033 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.355833054 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.355885983 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.355890036 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.355922937 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.356709957 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.356724977 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.356781006 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.356785059 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.356822014 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.572151899 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.572179079 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.572240114 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.572252989 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.572297096 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.572956085 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.572972059 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573045969 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.573049068 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573137045 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.573318958 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573333979 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573489904 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.573493958 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573532104 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.573812008 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573832035 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573877096 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.573880911 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.573915958 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.574295998 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.574314117 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.574371099 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.574373960 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.574461937 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.789879084 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.789906025 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.789963007 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.789975882 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.790033102 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.790945053 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.790962934 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.791028023 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.791032076 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.791063070 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.792870045 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.792886972 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793025970 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793030024 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793070078 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793322086 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793339014 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793389082 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793392897 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793420076 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793606997 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793621063 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793791056 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793795109 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793828964 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793915033 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793930054 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793958902 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.793962002 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.793992996 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.794251919 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.794266939 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.794320107 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.794322968 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.794352055 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.794742107 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.794759035 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.794809103 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.794811010 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.794841051 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.794857979 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.795028925 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795043945 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795099020 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.795101881 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795133114 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.795371056 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795384884 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795423985 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.795427084 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795458078 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.795675039 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795692921 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795742989 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:10.795746088 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:10.795773983 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.007322073 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.007349014 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.007411957 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.007426023 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.007448912 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.007472038 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.007675886 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.007690907 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.007745981 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.007750034 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.007795095 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.008234978 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.008249044 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.008311033 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.008315086 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.008476973 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.008761883 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.008778095 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.008841991 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.008846045 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.008936882 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.010458946 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.010472059 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.010541916 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.010545015 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.010611057 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.013082981 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.013098001 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.013160944 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.013164997 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.013200998 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.013910055 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.013923883 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.013989925 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.013993025 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.014030933 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.014602900 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.014616966 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.014678955 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.014683008 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.014769077 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.015628099 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.015642881 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.015723944 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.015727043 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.015779018 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.016361952 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.016380072 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.016413927 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.016417980 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.016448021 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.016474962 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.016640902 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.016659975 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.016688108 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.016690969 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.016727924 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.016987085 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017002106 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017060995 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.017064095 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017182112 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.017363071 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017378092 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017435074 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.017437935 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017479897 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.017623901 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017638922 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017692089 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.017694950 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.017733097 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.017990112 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018007994 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018064022 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018066883 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018110037 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018342972 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018357992 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018403053 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018405914 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018429041 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018450022 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018615007 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018627882 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018663883 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018667936 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018697023 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018717051 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018923998 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018938065 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.018990040 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.018994093 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019033909 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019265890 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019282103 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019331932 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019335032 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019376993 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019577980 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019598007 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019649982 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019653082 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019675016 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019682884 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019923925 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019939899 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.019983053 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.019987106 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.020026922 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.042691946 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.050232887 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.050251007 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.050340891 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.050347090 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.050388098 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.224850893 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.224872112 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.224982977 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.224991083 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225028038 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225078106 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225097895 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225152969 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225156069 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225197077 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225363970 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225378990 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225430012 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225434065 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225478888 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225688934 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225703955 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225754976 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225758076 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.225841045 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.225994110 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226010084 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226053953 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.226057053 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226082087 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.226100922 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.226325035 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226340055 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226392984 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.226396084 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226564884 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.226727962 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226743937 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226809025 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.226814032 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.226855040 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.227240086 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.227272034 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.227293015 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.227296114 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.227315903 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.227332115 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.227673054 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.227691889 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.227755070 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.227757931 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.227797985 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.228770018 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.228786945 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.228842974 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.228846073 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.228951931 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.230536938 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.230552912 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.230631113 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.230634928 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.230674028 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.230885983 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.230901003 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.230942965 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.230947018 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.230978012 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.231336117 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231350899 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231406927 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.231410980 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231447935 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.231688023 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231703043 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231755018 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.231759071 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231853008 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.231906891 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231921911 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231961966 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.231965065 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.231991053 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.232003927 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.232359886 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.232373953 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.232444048 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.232448101 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.232578993 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.232928038 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.232943058 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.232990026 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.232994080 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.233031034 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.233051062 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.233401060 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.233417034 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.233485937 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.233489990 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.233536005 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234107971 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234123945 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234190941 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234194994 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234245062 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234365940 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234380960 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234427929 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234432936 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234460115 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234477997 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234723091 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234771967 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234802961 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234807014 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.234832048 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234855890 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.234858990 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.286952972 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.453675985 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453689098 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453712940 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453751087 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.453762054 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453795910 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.453824043 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.453912020 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453933954 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453972101 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.453974962 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.453999996 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454020023 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454271078 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454288006 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454355001 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454359055 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454400063 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454605103 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454622030 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454653978 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454658031 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454694986 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454705000 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454906940 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454922915 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.454961061 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.454963923 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455007076 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.455285072 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455312967 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455346107 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.455351114 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455374956 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.455394030 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.455704927 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455718994 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455822945 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.455827951 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455961943 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.455986977 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456012011 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.456015110 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456038952 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.456069946 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.456314087 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456330061 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456383944 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.456387997 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456438065 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.456634045 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456649065 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456691027 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.456693888 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.456732988 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457019091 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457034111 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457079887 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457082987 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457117081 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457129955 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457288027 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457304001 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457360983 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457364082 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457451105 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457613945 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457629919 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457669020 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457672119 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457700014 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457712889 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.457932949 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.457947969 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458002090 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458004951 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458044052 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458190918 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458209991 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458249092 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458252907 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458286047 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458303928 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458575010 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458590031 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458638906 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458642960 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458674908 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458842039 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458862066 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458910942 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458914042 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.458940983 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.458965063 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459163904 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459178925 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459230900 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459233999 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459255934 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459281921 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459475994 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459491968 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459543943 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459547043 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459764957 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459813118 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459830046 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459883928 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.459887028 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.459922075 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.460213900 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.460230112 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.460280895 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.460283995 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.460320950 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.460669041 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.460683107 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.460745096 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.460747957 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.460800886 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.460997105 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461011887 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461080074 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461082935 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461126089 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461316109 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461330891 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461394072 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461399078 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461608887 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461630106 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461668015 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461671114 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461693048 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461723089 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461947918 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461961031 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.461993933 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.461997032 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462017059 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462042093 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462214947 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462230921 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462264061 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462266922 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462304115 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462322950 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462543964 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462559938 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462603092 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462605953 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462632895 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462655067 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462829113 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462846041 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462888956 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.462892056 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.462924004 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463095903 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463109970 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463148117 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463150978 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463170052 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463457108 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463484049 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463493109 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463498116 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463507891 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463555098 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463773966 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463802099 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463857889 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.463860989 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.463906050 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464148998 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464164019 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464251041 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464253902 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464294910 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464411020 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464426041 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464468956 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464472055 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464494944 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464513063 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464775085 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464790106 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464828968 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464832067 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.464859009 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.464890957 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465089083 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465102911 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465141058 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465143919 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465163946 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465183020 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465389967 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465404034 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465442896 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465445995 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465477943 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465492010 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465688944 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465706110 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465742111 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465744972 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.465766907 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.465791941 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466020107 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466034889 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466087103 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466089964 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466106892 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466128111 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466342926 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466362953 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466391087 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466396093 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466425896 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466449976 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466550112 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466573000 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466598034 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466600895 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466622114 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.466679096 CEST	443	49735	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.466713905 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.467045069 CEST	49735	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.524863005 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.524908066 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.525641918 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.526202917 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.526221037 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.963140011 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:11.964571953 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:11.964628935 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663706064 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663728952 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663744926 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663872004 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.663892984 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663908005 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663932085 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663942099 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.663948059 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.663971901 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.664005995 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881341934 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881370068 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881431103 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881458998 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881477118 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881494045 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881597996 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881616116 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881640911 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881647110 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881674051 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881690979 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881850958 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881876945 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881918907 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:12.881925106 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:12.881951094 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.100502968 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100589037 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100636959 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.100667953 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100688934 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.100709915 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.100758076 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100804090 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100819111 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.100826025 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100864887 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.100920916 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100980997 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.100991964 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101011992 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101036072 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101052046 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101156950 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101198912 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101219893 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101228952 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101250887 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101277113 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101361036 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101402044 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101424932 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101433039 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.101454973 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.101473093 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318063021 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318093061 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318180084 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318201065 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318248987 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318264961 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318279982 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318312883 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318531990 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318547964 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318603039 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318610907 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318881989 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318902016 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.318945885 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.318953991 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.319010973 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.319564104 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.319603920 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.319636106 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.319645882 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.319681883 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.320219994 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.320266962 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.320298910 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.320307970 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.320327997 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.320805073 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.320844889 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.320921898 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.320938110 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.321487904 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.321536064 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.321562052 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.321569920 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.321598053 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.321928024 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.321943998 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.321995974 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.322005033 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.322494030 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.322511911 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.322565079 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.322573900 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.322915077 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.322935104 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.322985888 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.322993994 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.365365982 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.535716057 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.535744905 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.535815001 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.535829067 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.535866022 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.537156105 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.537178040 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.537204981 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.537211895 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.537235975 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.537254095 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.538027048 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.538043022 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.538103104 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.538114071 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.538218021 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.538706064 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.538722038 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.538784027 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.538789988 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.538842916 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.539566994 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.539582014 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.539647102 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.539654016 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.539690971 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.540256023 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.540271997 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.540326118 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.540330887 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.540361881 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.540975094 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.540990114 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.541040897 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.541047096 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.541098118 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.541680098 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.541697025 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.541743040 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.541749001 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.541779995 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.542471886 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.542490005 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.542536974 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.542542934 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.542571068 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.543410063 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.543426037 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.543474913 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.543482065 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.543512106 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.544342041 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.544358015 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.544404030 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.544409037 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.544439077 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.544600010 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.544648886 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.544655085 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.544675112 CEST	443	49736	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.544706106 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.545046091 CEST	49736	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.575278997 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.575321913 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:13.575398922 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.575706959 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:13.575723886 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.012861967 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.014657974 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.014682055 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.711541891 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.711569071 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.711585045 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.711720943 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.711743116 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.711759090 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.711837053 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.929357052 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.929388046 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.929513931 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.929533958 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.929702044 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.929723978 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.929761887 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.929770947 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.929814100 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.929814100 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.930217028 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.930233955 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.930299997 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:14.930308104 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:14.932931900 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.146991014 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.147023916 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.147234917 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.147255898 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.147835016 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.147859097 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.147927999 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.147927999 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.147939920 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.148767948 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.148782015 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.148895025 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.148909092 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.149854898 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.149877071 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.149966002 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.149966002 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.149974108 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.150312901 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.150953054 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.150969028 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.151040077 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.151051044 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.151204109 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364443064 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364468098 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364531040 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364552021 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364592075 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364641905 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364706039 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364748955 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364774942 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364783049 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364811897 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364813089 CEST	443	49737	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.364835024 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.364897013 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.366744995 CEST	49737	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.384757996 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.384804964 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.384912968 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.385363102 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.385377884 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.822097063 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:15.828299999 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:15.828316927 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.522655010 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.522692919 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.522710085 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.522815943 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.522835970 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.522876978 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.523384094 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.523406029 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.523447037 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.523467064 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.523499966 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.568238020 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.740324020 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.740360022 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.740444899 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.740482092 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.740536928 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.740926981 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.740979910 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.740995884 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.741008997 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.741033077 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.741039991 CEST	443	49738	147.28.128.254	192.168.2.6
Apr 24, 2024 02:55:16.741053104 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.741090059 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:16.741633892 CEST	49738	443	192.168.2.6	147.28.128.254
Apr 24, 2024 02:55:24.575031996 CEST	49741	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:24.575074911 CEST	443	49741	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:24.575165987 CEST	49741	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:25.405256987 CEST	49741	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:25.405287981 CEST	443	49741	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:25.405360937 CEST	443	49741	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:27.503839970 CEST	49742	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:27.503881931 CEST	443	49742	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:27.503973007 CEST	49742	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:27.511836052 CEST	49742	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:27.511848927 CEST	443	49742	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:27.511904001 CEST	443	49742	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:30.570646048 CEST	49743	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:30.570692062 CEST	443	49743	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:30.570780993 CEST	49743	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:30.573316097 CEST	49743	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:30.573329926 CEST	443	49743	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:30.573370934 CEST	443	49743	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:35.742424011 CEST	49744	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:35.742470026 CEST	443	49744	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:35.742542982 CEST	49744	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:35.744643927 CEST	49744	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:35.744659901 CEST	443	49744	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:35.744694948 CEST	443	49744	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:44.475451946 CEST	49746	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:44.475491047 CEST	443	49746	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:44.475559950 CEST	49746	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:44.477931976 CEST	49746	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:44.477941036 CEST	443	49746	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:44.477981091 CEST	443	49746	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:56.152559042 CEST	49748	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:56.152616024 CEST	443	49748	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:56.152692080 CEST	49748	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:56.157581091 CEST	49748	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:55:56.157597065 CEST	443	49748	147.28.128.252	192.168.2.6
Apr 24, 2024 02:55:56.157881975 CEST	443	49748	147.28.128.252	192.168.2.6
Apr 24, 2024 02:56:13.481482983 CEST	49750	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:56:13.481529951 CEST	443	49750	147.28.128.252	192.168.2.6
Apr 24, 2024 02:56:13.481591940 CEST	49750	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:56:13.484803915 CEST	49750	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:56:13.484827995 CEST	443	49750	147.28.128.252	192.168.2.6
Apr 24, 2024 02:56:13.484877110 CEST	443	49750	147.28.128.252	192.168.2.6
Apr 24, 2024 02:56:37.676341057 CEST	49752	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:56:37.676381111 CEST	443	49752	147.28.128.252	192.168.2.6
Apr 24, 2024 02:56:37.676476955 CEST	49752	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:56:37.678949118 CEST	49752	443	192.168.2.6	147.28.128.252
Apr 24, 2024 02:56:37.678956032 CEST	443	49752	147.28.128.252	192.168.2.6
Apr 24, 2024 02:56:37.678988934 CEST	443	49752	147.28.128.252	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:54:50.329133034 CEST	58880	53	192.168.2.6	1.1.1.1
Apr 24, 2024 02:54:50.497417927 CEST	53	58880	1.1.1.1	192.168.2.6
Apr 24, 2024 02:55:24.368338108 CEST	53401	53	192.168.2.6	1.1.1.1
Apr 24, 2024 02:55:24.546986103 CEST	53	53401	1.1.1.1	192.168.2.6
Apr 24, 2024 02:55:55.971539021 CEST	60334	53	192.168.2.6	1.1.1.1
Apr 24, 2024 02:55:56.139394045 CEST	53	60334	1.1.1.1	192.168.2.6
Apr 24, 2024 02:56:37.497008085 CEST	58091	53	192.168.2.6	1.1.1.1
Apr 24, 2024 02:56:37.665220022 CEST	53	58091	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 02:54:50.329133034 CEST	192.168.2.6	1.1.1.1	0xb473	Standard query (0)	marcile61.screenconnect.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:55:24.368338108 CEST	192.168.2.6	1.1.1.1	0x8c47	Standard query (0)	instance-ci40ys-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:55:55.971539021 CEST	192.168.2.6	1.1.1.1	0xfebe	Standard query (0)	instance-ci40ys-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:56:37.497008085 CEST	192.168.2.6	1.1.1.1	0xb7dd	Standard query (0)	instance-ci40ys-relay.screenconnect.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 02:54:50.497417927 CEST	1.1.1.1	192.168.2.6	0xb473	No error (0)	marcile61.screenconnect.com	server-nixeba81050-web.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 02:54:50.497417927 CEST	1.1.1.1	192.168.2.6	0xb473	No error (0)	server-nixeba81050-web.screenconnect.com		147.28.128.254	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:54:54.039295912 CEST	1.1.1.1	192.168.2.6	0xbe8e	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 02:54:54.039295912 CEST	1.1.1.1	192.168.2.6	0xbe8e	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:54:55.404736996 CEST	1.1.1.1	192.168.2.6	0x77a1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 02:54:55.404736996 CEST	1.1.1.1	192.168.2.6	0x77a1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:55:24.546986103 CEST	1.1.1.1	192.168.2.6	0x8c47	No error (0)	instance-ci40ys-relay.screenconnect.com	server-nixeba81050-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 02:55:24.546986103 CEST	1.1.1.1	192.168.2.6	0x8c47	No error (0)	server-nixeba81050-relay.screenconnect.com		147.28.128.252	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:55:56.139394045 CEST	1.1.1.1	192.168.2.6	0xfebe	No error (0)	instance-ci40ys-relay.screenconnect.com	server-nixeba81050-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 02:55:56.139394045 CEST	1.1.1.1	192.168.2.6	0xfebe	No error (0)	server-nixeba81050-relay.screenconnect.com		147.28.128.252	A (IP address)	IN (0x0001)	false
Apr 24, 2024 02:56:37.665220022 CEST	1.1.1.1	192.168.2.6	0xb7dd	No error (0)	instance-ci40ys-relay.screenconnect.com	server-nixeba81050-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 02:56:37.665220022 CEST	1.1.1.1	192.168.2.6	0xb7dd	No error (0)	server-nixeba81050-relay.screenconnect.com		147.28.128.252	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

marcile61.screenconnect.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:54:51 UTC	654	OUT	GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:54:51 UTC	274	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 112936 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:54:51 GMT Connection: close
2024-04-24 00:54:51 UTC	16110	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-04-24 00:54:51 UTC	16384	IN	Data Raw: 50 43 41 41 41 4a 69 59 41 41 50 38 32 41 41 44 51 4e 41 41 41 48 56 77 41 41 4e 35 4b 41 41 44 56 4d 67 41 41 46 53 63 41 41 4d 68 46 41 41 43 56 43 67 41 41 33 68 59 41 41 50 78 6f 41 41 41 70 50 41 41 41 73 77 77 41 41 47 31 6f 41 41 42 69 46 51 41 41 76 57 34 41 41 42 68 72 41 41 43 70 61 51 41 41 78 41 59 41 41 49 42 53 41 41 43 36 45 41 41 41 77 67 6f 41 41 4f 39 44 41 41 44 55 4d 41 41 41 2b 42 63 41 41 46 4e 45 41 41 41 2f 57 51 41 41 6c 77 34 41 41 4a 73 75 41 41 41 30 52 77 41 41 43 43 73 41 41 46 4d 59 41 41 42 61 54 51 41 41 64 69 41 41 41 42 39 67 41 41 43 52 4d 41 41 41 6b 47 6f 41 41 49 34 72 41 41 42 5a 4c 77 41 41 30 41 4d 41 41 43 70 55 41 41 43 30 51 77 41 41 51 6a 67 41 41 41 39 74 41 41 42 64 5a 67 41 41 76 32 49 41 41 45 63 68 41 41 Data Ascii: PCAAAJiYAAP82AADQNAAAHVwAAN5KAADVMgAAFScAAMhFAACVCgAA3hYAAPxoAAApPAAAswwAAG1oAABiFQAAvW4AABhrAACpaQAAxAYAAIBSAAC6EAAAwgoAAO9DAADUMAAA+BcAAFNEAAA/WQAAlw4AAJsuAAA0RwAACCsAAFMYAABaTQAAdiAAAB9gAACRMAAAkGoAAI4rAABZLwAA0AMAACpUAAC0QwAAQjgAAA9tAABdZgAAv2IAAEchAA
2024-04-24 00:54:51 UTC	16384	IN	Data Raw: 41 5a 51 42 73 41 46 4d 41 5a 51 42 73 41 47 55 41 59 77 42 30 41 45 67 41 5a 51 42 73 41 48 41 41 55 41 42 79 41 47 38 41 64 67 42 70 41 47 51 41 5a 51 42 79 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 36 45 41 41 41 59 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 46 4d 41 5a 51 42 73 41 47 55 41 59 77 42 30 41 45 67 41 5a 51 42 73 41 48 41 41 5a 51 42 79 41 45 67 41 61 51 42 6e 41 47 67 41 62 41 42 70 41 47 63 41 61 41 42 30 41 46 51 41 62 77 42 76 41 47 77 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 49 73 51 41 41 42 55 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 55 77 42 6c 41 47 77 41 5a 51 42 6a 41 48 Data Ascii: AZQBsAFMAZQBsAGUAYwB0AEgAZQBsAHAAUAByAG8AdgBpAGQAZQByAFQAaQB0AGwAZQB6EAAAYEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAFMAZQBsAGUAYwB0AEgAZQBsAHAAZQByAEgAaQBnAGgAbABpAGcAaAB0AFQAbwBvAGwARABlAHMAYwByAGkAcAB0AGkAbwBuAIsQAABUQwBvAG4AdAByAG8AbABQAGEAbgBlAGwAUwBlAGwAZQBjAH
2024-04-24 00:54:51 UTC	16384	IN	Data Raw: 54 41 48 41 41 5a 51 42 6a 41 47 6b 41 5a 67 42 35 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 47 41 47 38 41 63 67 42 74 41 47 45 41 64 41 41 44 4f 51 41 41 4c 46 49 41 5a 51 42 69 41 47 38 41 62 77 42 30 41 45 4d 41 59 51 42 75 41 47 4d 41 5a 51 42 73 41 45 49 41 64 51 42 30 41 48 51 41 62 77 42 75 41 46 51 41 5a 51 42 34 41 48 51 41 48 7a 6b 41 41 42 70 53 41 47 55 41 59 67 42 76 41 47 38 41 64 41 42 4e 41 47 55 41 63 77 42 7a 41 47 45 41 5a 77 42 6c 41 43 63 35 41 41 41 73 55 67 42 6c 41 47 49 41 62 77 42 76 41 48 51 41 55 67 42 6c 41 47 49 41 62 77 42 76 41 48 51 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 67 4f 51 41 41 59 6c 49 41 5a 51 42 69 41 47 38 41 62 77 42 30 41 46 49 41 5a 51 42 6a 41 47 38 41 62 67 Data Ascii: TAHAAZQBjAGkAZgB5AFQAaQB0AGwAZQBGAG8AcgBtAGEAdAADOQAALFIAZQBiAG8AbwB0AEMAYQBuAGMAZQBsAEIAdQB0AHQAbwBuAFQAZQB4AHQAHzkAABpSAGUAYgBvAG8AdABNAGUAcwBzAGEAZwBlACc5AAAsUgBlAGIAbwBvAHQAUgBlAGIAbwBvAHQAQgB1AHQAdABvAG4AVABlAHgAdACgOQAAYlIAZQBiAG8AbwB0AFIAZQBjAG8Abg
2024-04-24 00:54:51 UTC	16384	IN	Data Raw: 67 5a 57 35 6a 63 6e 6c 77 64 47 56 6b 49 47 46 75 5a 43 42 7a 64 47 39 79 5a 57 51 75 49 46 6c 76 64 58 49 67 61 47 39 7a 64 43 42 6a 59 57 34 67 63 32 56 75 5a 43 42 30 61 47 56 7a 5a 53 42 6a 63 6d 56 6b 5a 57 35 30 61 57 46 73 63 79 42 30 62 79 42 30 61 47 55 67 63 32 4e 79 5a 57 56 75 49 47 46 30 49 47 46 75 65 53 42 30 61 57 31 6c 4c 67 30 4b 44 51 70 55 61 47 55 67 64 58 4e 6c 63 69 42 75 59 57 31 6c 49 47 6c 7a 49 48 4e 6c 62 6e 51 67 64 47 38 67 62 6d 39 79 62 57 46 73 49 48 52 6c 65 48 51 67 59 6d 39 34 5a 58 4d 75 49 46 52 6f 5a 53 42 77 59 58 4e 7a 64 32 39 79 5a 43 42 70 63 79 42 7a 5a 57 35 30 49 48 52 76 49 48 4e 77 5a 57 4e 70 59 57 77 67 63 47 46 7a 63 33 64 76 63 6d 51 67 64 47 56 34 64 43 42 69 62 33 68 6c 63 79 77 67 63 32 38 67 64 47 Data Ascii: gZW5jcnlwdGVkIGFuZCBzdG9yZWQuIFlvdXIgaG9zdCBjYW4gc2VuZCB0aGVzZSBjcmVkZW50aWFscyB0byB0aGUgc2NyZWVuIGF0IGFueSB0aW1lLg0KDQpUaGUgdXNlciBuYW1lIGlzIHNlbnQgdG8gbm9ybWFsIHRleHQgYm94ZXMuIFRoZSBwYXNzd29yZCBpcyBzZW50IHRvIHNwZWNpYWwgcGFzc3dvcmQgdGV4dCBib3hlcywgc28gdG
2024-04-24 00:54:51 UTC	16384	IN	Data Raw: 6d 4a 62 42 41 78 67 4c 62 50 67 4e 58 6d 56 39 6c 46 46 34 6a 31 59 78 68 74 73 69 34 41 42 72 47 55 51 76 43 62 56 31 4d 2f 61 4a 2b 41 44 41 6b 62 41 43 42 67 67 48 71 58 67 4e 52 6d 6d 66 74 5a 6a 41 6a 37 59 78 56 4e 73 69 34 41 42 37 43 56 34 54 5a 78 47 32 6b 63 64 45 50 41 42 41 53 4e 67 42 41 79 67 2f 7a 31 68 45 78 67 73 34 78 7a 62 49 6d 41 41 65 35 6b 47 37 38 6b 73 39 62 50 32 69 50 68 67 46 65 2b 77 4c 51 49 47 73 4a 64 32 38 4a 35 34 71 5a 39 56 49 65 4b 44 56 5a 78 67 57 31 4d 43 44 72 2f 73 44 34 6d 79 41 4e 66 51 6b 35 76 45 77 55 6c 67 73 49 7a 6e 32 4e 61 55 67 46 73 49 47 43 43 53 76 74 77 6b 6a 6b 4c 68 51 30 49 2b 32 4d 51 70 74 6b 58 41 41 50 59 53 54 75 4b 59 70 6e 38 59 34 36 44 42 4c 72 41 74 41 67 61 77 46 38 6d 44 77 49 55 36 Data Ascii: mJbBAxgLbPgNXmV9lFF4j1Yxhtsi4ABrGUQvCbV1M/aJ+ADAkbACBggHqXgNRmmftZjAj7YxVNsi4AB7CV4TZxG2kcdEPABASNgBAyg/z1hExgs4xzbImAAe5kG78ks9bP2iPhgFe+wLQIGsJd28J54qZ9VIeKDVZxgW1MCDr/sD4myANfQk5vEwUlgsIzn2NaUgFsIGCCSvtwkjkLhQ0I+2MQptkXAAPYSTuKYpn8Y46DBLrAtAgawF8mDwIU6
2024-04-24 00:54:52 UTC	14906	IN	Data Raw: 55 38 41 69 33 69 6e 63 67 56 2b 32 36 30 50 36 78 58 66 49 67 43 55 37 33 79 31 74 44 69 35 2b 38 6c 4c 6e 57 52 7a 55 6f 4e 32 46 4d 43 48 4b 67 48 63 74 51 2b 4c 49 57 41 41 51 32 64 4f 4f 6e 4b 46 35 68 34 6c 65 5a 31 6b 6d 2f 54 78 53 43 52 48 41 62 79 6e 45 38 44 68 51 78 6c 6d 71 55 41 44 79 42 77 36 61 62 2f 4a 65 33 54 6a 4c 57 6a 77 66 71 4b 54 62 4c 2f 36 57 45 66 70 4b 49 44 66 36 41 52 77 32 49 64 31 74 67 2b 4c 4e 5a 51 41 73 6d 68 63 45 38 48 70 36 6d 62 68 6b 2f 65 4d 30 6e 72 4f 7a 69 6a 77 66 77 6c 67 4e 33 4e 49 58 66 75 77 71 45 41 44 79 48 59 4a 58 6b 35 48 50 6e 70 50 4b 53 30 48 38 37 47 4f 30 6c 45 41 76 31 59 4b 34 48 4e 39 57 46 4e 55 6f 41 46 49 57 47 6d 6d 6c 39 5a 6f 31 4b 73 6a 64 77 77 54 4f 74 46 57 75 75 56 68 48 61 57 6a Data Ascii: U8Ai3incgV+260P6xXfIgCU73y1tDi5+8lLnWRzUoN2FMCHKgHctQ+LIWAAQ2dOOnKF5h4leZ1km/TxSCRHAbynE8DhQxlmqUADyBw6ab/Je3TjLWjwfqKTbL/6WEfpKIDf6ARw2Id1tg+LNZQAsmhcE8Hp6mbhk/eM0nrOzijwfwlgN3NIXfuwqEADyHYJXk5HPnpPKS0H87GO0lEAv1YK4HN9WFNUoAFIWGmml9Zo1KsjdwwTOtFWuuVhHaWj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:54:53 UTC	109	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip
2024-04-24 00:54:53 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17866 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:54:52 GMT Connection: close
2024-04-24 00:54:53 UTC	16145	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-04-24 00:54:53 UTC	1721	IN	Data Raw: 66 4d 6a 71 47 7a 4c 6d 79 73 4c 30 70 36 4d 44 44 6e 53 6c 72 7a 6d 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 Data Ascii: fMjqGzLmysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49725	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:54:59 UTC	135	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:54:59 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:54:58 GMT Connection: close
2024-04-24 00:54:59 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-04-24 00:54:59 UTC	16384	IN	Data Raw: 68 74 dd 40 00 68 7c dd 40 00 6a 02 e8 85 fe ff ff 83 c4 10 8b f0 ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 Data Ascii: ht@h\|@jut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]
2024-04-24 00:55:00 UTC	16384	IN	Data Raw: 40 0c 8b 48 7c 85 c9 74 03 f0 ff 01 8b 88 84 00 00 00 85 c9 74 03 f0 ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 Data Ascii: @H\|ttttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE
2024-04-24 00:55:00 UTC	16384	IN	Data Raw: b7 41 14 0f b7 59 06 83 c0 18 03 c1 85 db 74 1b 8b 7d 0c 8b 70 0c 3b fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc Data Ascii: AYt}p;rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]
2024-04-24 00:55:00 UTC	16384	IN	Data Raw: 00 79 00 2d 00 67 00 62 00 00 00 64 00 61 00 2d 00 64 00 6b 00 00 00 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 Data Ascii: y-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-za
2024-04-24 00:55:00 UTC	13839	IN	Data Raw: 32 61 32 91 32 a0 32 b6 32 cc 32 e3 32 ea 32 f6 32 09 33 0e 33 1a 33 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 Data Ascii: 2a222222223333033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49726	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:00 UTC	143	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:55:01 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:01 GMT Connection: close
2024-04-24 00:55:01 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 22 97 a5 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 36 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 e4 d4 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL""06 @ @
2024-04-24 00:55:01 UTC	16384	IN	Data Raw: 2a 15 01 36 00 aa 17 76 0e 36 00 37 28 7b 0e 36 00 59 28 7b 0e 36 00 4c 27 7b 0e 01 00 39 0c 65 0e 16 00 8b 16 7f 0e 16 00 58 0d 87 0e 36 00 6d 08 8f 0e 16 00 01 00 93 0e 06 00 ef 10 22 0a 06 00 60 10 22 0a 06 00 53 26 7b 0e 06 00 fa 1d 68 0e 06 00 31 0f 4b 00 06 00 04 1b 9d 0e 06 00 64 1f a1 0e 06 00 8a 27 a6 0e 06 00 95 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 d0 1c be 0e 16 00 b9 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 47 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 20 2f 01 0f 06 00 62 20 57 0e 06 00 d7 19 06 0f 06 00 e9 19 06 0f 06 00 81 19 0b 0f 16 00 b9 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f Data Ascii: *6v67({6Y({6L'{9eX6m"`"S&{h1Kd'"6m)6m76m%G6m6 /b W6mF)
2024-04-24 00:55:01 UTC	16384	IN	Data Raw: 6c 00 3c 30 3e 5f 5f 46 72 65 65 48 47 6c 6f 62 61 6c 00 67 65 74 5f 56 65 72 74 69 63 61 6c 00 4d 61 72 73 68 61 6c 00 67 65 74 5f 48 6f 72 69 7a 6f 6e 74 61 6c 00 70 69 64 6c 00 73 65 61 72 63 68 42 6f 78 49 6e 70 75 74 4c 65 6e 67 74 68 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 Data Ascii: l<0>__FreeHGlobalget_VerticalMarshalget_HorizontalpidlsearchBoxInputLengthThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNu
2024-04-24 00:55:01 UTC	12303	IN	Data Raw: 00 6e 00 61 00 6d 00 65 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 33 00 2e 00 39 00 2e 00 31 00 30 00 2e 00 38 00 38 00 31 00 37 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 Data Ascii: nameScreenConnect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion23.9.10.8817BAssembly Version

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49727	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:02 UTC	123	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip
2024-04-24 00:55:02 UTC	237	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:02 GMT Connection: close
2024-04-24 00:55:02 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49728	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:03 UTC	142	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:55:03 UTC	237	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:03 GMT Connection: close
2024-04-24 00:55:03 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49730	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:05 UTC	150	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:55:05 UTC	237	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:04 GMT Connection: close
2024-04-24 00:55:05 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49731	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:05 UTC	116	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip
2024-04-24 00:55:06 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:05 GMT Connection: close
2024-04-24 00:55:06 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b8 fc 8a d6 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 42 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 18 3c 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0@B^ `@ `<@
2024-04-24 00:55:06 UTC	16384	IN	Data Raw: 89 18 22 6d cd 4f 33 a1 b2 fe a5 b6 dd 23 34 99 8b 61 65 b8 3f f4 d1 23 aa 5c f3 6c 56 17 f0 f7 5a 9d 5d 5d 8a 34 11 d7 6e ce 3f 00 00 00 00 98 55 92 92 00 00 00 00 02 00 00 00 7b 00 00 00 74 5d 00 00 74 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 f1 c9 85 49 b2 cd 9b 47 b3 c1 0c f0 28 72 19 e5 01 00 00 00 43 3a 5c 62 75 69 6c 64 73 5c 63 63 5c 63 77 63 6f 6e 74 72 6f 6c 5c 50 72 6f 64 75 63 74 5c 57 69 6e 64 6f 77 73 46 69 6c 65 4d 61 6e 61 67 65 72 5c 6f 62 6a 5c 52 65 6c 65 61 73 65 5c 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 46 69 6c 65 4d 61 6e 61 67 65 72 2e 70 64 62 00 17 5e 00 00 00 00 00 00 00 00 00 00 31 5e 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: "mO3#4ae?#\lVZ]]4n?U{t]t?RSDSIG(rC:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb^1^
2024-04-24 00:55:06 UTC	16384	IN	Data Raw: c9 f4 ff 51 cc f8 ff 52 ce fa ff 53 d0 fd ff 54 d1 fe ff 54 d2 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff Data Ascii: QRSTTUUTSRQPNL::::::::::::::::::::::::::::::::::::::LNP
2024-04-24 00:55:06 UTC	16384	IN	Data Raw: d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff Data Ascii: ffffffffffffffffffffggggggggggggggggggggggggggggggggggggg
2024-04-24 00:55:06 UTC	16384	IN	Data Raw: db ff ff 00 00 00 00 00 00 00 00 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 Data Ascii: n
2024-04-24 00:55:06 UTC	15	IN	Data Raw: a5 28 34 56 c1 c1 97 d4 a6 00 00 00 00 00 00 Data Ascii: (4V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49732	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:07 UTC	135	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:55:08 UTC	240	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 587040 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:07 GMT Connection: close
2024-04-24 00:55:08 UTC	16144	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 74 77 50 c4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 c4 08 00 00 06 00 00 00 00 00 00 de dd 08 00 00 20 00 00 00 00 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 09 00 00 02 00 00 b8 61 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELtwP"0 @ @a@
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 00 0a 0a 06 25 2d 06 26 7e b4 00 00 0a 2a 00 00 1b 30 06 00 97 0d 00 00 2c 00 00 11 73 8a 07 00 06 0a 06 02 7d 03 03 00 04 28 77 01 00 0a 2c 1c 72 7d 0a 00 70 17 17 28 78 01 00 0a 28 79 01 00 0a 16 8d 11 00 00 01 28 7a 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 d1 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e 95 02 00 04 25 2d 17 26 7e 81 02 00 04 fe 06 01 07 00 06 73 d2 01 00 0a 25 80 95 02 00 04 28 33 00 00 2b 6f d3 01 00 0a 0d 38 cc 0b 00 00 12 04 09 6f d4 01 00 0a 7d 05 03 00 04 11 04 7b 05 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 05 03 00 04 6f 11 03 00 06 28 16 06 00 06 13 06 11 04 7b 05 03 00 04 6f 25 03 00 06 28 2a 06 00 06 13 07 11 04 7b 05 03 00 04 6f 26 03 00 06 28 2a 06 00 06 13 08 11 04 7b 05 03 00 04 6f 11 03 00 06 02 28 fb Data Ascii: %-&~0,s}(w,r}p(x(y(z}H((((~%-&~s%(3+o8o}{(,+{o({o%({o&(*{o(
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 04 6f 1b 03 00 0a 74 9c 00 00 01 17 6f 1c 03 00 0a 26 02 7b 54 00 00 04 14 6f 7d 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 fd 13 00 70 18 8d 11 00 00 01 25 16 03 8c 2a 02 00 01 a2 25 17 02 7b 54 00 00 04 6f e6 06 00 06 8c ad 00 00 02 a2 28 0e 03 00 0a 02 7b 54 00 00 04 6f e6 06 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f a2 04 00 06 03 2d 22 02 28 ae 00 00 06 73 11 03 00 0a 6f 11 02 00 0a 2b 10 02 7b 5a 00 00 04 28 a9 00 00 06 6f a2 04 00 06 02 7b 54 00 00 04 16 6f a4 00 00 0a 02 7b 54 00 00 04 16 6f e7 06 00 06 2a 0a 14 2a 0a 14 2a 0a 16 2a 0a 14 2a 1a 73 1d 03 00 0a 7a 00 13 30 02 00 3d 01 00 00 00 00 00 00 03 d0 94 00 00 02 28 c2 00 00 0a 33 07 02 7b 4d 00 00 04 Data Ascii: oto&{To}(<(<0Grp%%{To({To..'+5{Z(o-"(so+{Z(o{To{To****sz0=(3{M
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 13 26 02 28 af 01 00 06 02 28 b1 01 00 06 73 bf 00 00 0a 2a 02 03 6f ce 02 00 06 2a 5e 02 03 28 2d 04 00 0a 02 28 c3 01 00 06 2c 07 02 17 28 a4 00 00 0a 2a 92 02 03 28 2e 04 00 0a 02 28 c3 01 00 06 2c 14 02 28 a2 00 00 0a 6f e2 01 00 0a 2d 07 02 16 28 a4 00 00 0a 2a 00 00 00 13 30 06 00 7f 00 00 00 64 00 00 11 02 03 28 2f 04 00 0a 02 28 bf 01 00 06 16 31 6e 02 28 c1 01 00 06 2c 66 12 00 02 28 2c 04 00 0a 0c 12 02 28 30 04 00 0a 02 28 2c 04 00 0a 0c 12 02 28 31 04 00 0a 02 28 f5 01 00 0a 02 28 2c 04 00 0a 0c 12 02 28 32 04 00 0a 59 02 28 eb 01 00 0a 02 28 2c 04 00 0a 0c 12 02 28 33 04 00 0a 59 28 07 01 00 0a 02 6f c8 01 00 06 0b 03 6f 34 04 00 0a 07 73 35 04 00 0a 06 6f 36 04 00 0a 2a 3a 02 03 28 37 04 00 0a 02 28 d0 01 00 06 2a 4a 02 28 a2 00 00 0a 6f e4 Data Ascii: &((so^(-(,((.(,(o-(0d(/(1n(,f(,(0(,(1((,(2Y((,(3Y(oo4s5o6:(7(J(o
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 1e 02 7b 06 01 00 04 2a 22 02 03 7d 06 01 00 04 2a 3a 02 28 c4 02 00 06 02 03 6f fe 02 00 06 2a 3a 02 28 c4 02 00 06 02 03 6f fd 02 00 06 2a 00 13 30 02 00 4d 00 00 00 94 00 00 11 20 00 00 00 10 0a 02 28 93 02 00 06 2d 08 06 20 10 20 00 00 60 0a 02 28 91 02 00 06 1b 33 08 06 20 00 40 00 00 60 0a 02 28 ae 02 00 06 2d 06 06 16 60 0a 2b 04 06 17 60 0a 02 28 b0 02 00 06 2d 06 06 16 60 0a 2b 04 06 1a 60 0a 06 2a 5e 1e 28 1e 05 00 06 80 ed 00 00 04 18 28 1e 05 00 06 80 ee 00 00 04 2a 1e 02 7b 07 01 00 04 2a 00 00 00 13 30 03 00 5b 00 00 00 00 00 00 00 02 28 88 02 00 06 02 d0 a1 00 00 01 28 c2 00 00 0a 72 8a 25 00 70 28 38 06 00 06 28 8e 02 00 06 02 28 af 04 00 06 28 96 02 00 06 02 17 28 b5 02 00 06 02 28 5c 05 00 0a 28 9f 02 00 06 02 28 5c 05 00 0a 6f 0c 04 00 Data Ascii: {"}:(o:(o0M (- `(3 @`(-`+`(-`+`^(({*0[((r%p(8(((((\((\o
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 6f 0c 04 00 0a 25 28 b0 04 00 06 6f 0d 04 00 0a 25 16 6f 06 06 00 0a 7d 3d 01 00 04 02 7b 3d 01 00 04 1f 0a 1f 0a 1f 0a 1f 0a 28 9a 03 00 06 02 7b 3d 01 00 04 7e 8f 04 00 04 25 2d 17 26 7e 8e 04 00 04 fe 06 c3 09 00 06 73 07 06 00 0a 25 80 8f 04 00 04 6f 08 06 00 0a 02 73 51 04 00 0a 25 18 6f cc 02 00 0a 25 28 e3 04 00 06 6f f8 05 00 0a 25 16 6f a4 00 00 0a 25 17 6f 09 06 00 0a 25 20 00 01 00 00 6f 0a 06 00 0a 25 7e 09 01 00 0a 22 00 00 10 41 73 0a 01 00 0a 6f dc 00 00 0a 25 28 b0 04 00 06 6f 0d 04 00 0a 25 28 ba 04 00 06 6f 0c 04 00 0a 7d 3f 01 00 04 02 73 c0 09 00 06 25 1b 6f cc 02 00 0a 25 17 6f c6 04 00 0a 25 16 6f c7 04 00 0a 25 16 6f 0b 06 00 0a 25 16 6f 05 06 00 0a 7d 3e 01 00 04 02 7b 3e 01 00 04 02 fe 06 8f 03 00 06 73 8d 01 00 0a 6f 0c 06 00 0a Data Ascii: o%(o%o}={=({=~%-&~s%osQ%o%(o%o%o% o%~"Aso%(o%(o}?s%o%o%o%o%o}>{>so
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 2c 07 11 0a 6f 22 00 00 0a dc 11 08 13 0b de 20 11 05 7b 49 05 00 04 2c 0c 11 05 7b 49 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 11 0b 2a 00 41 64 00 00 02 00 00 00 a1 02 00 00 14 00 00 00 b5 02 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 f2 02 00 00 28 00 00 00 1a 03 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 9f 00 00 00 8d 02 00 00 2c 03 00 00 16 00 00 00 00 00 00 00 02 00 00 00 44 00 00 00 fe 02 00 00 42 03 00 00 0a 00 00 00 00 00 00 00 52 03 17 02 7b 63 01 00 04 02 7b 64 01 00 04 28 1a 04 00 06 2a 4e 03 02 7b 63 01 00 04 02 7b 64 01 00 04 28 1c 04 00 06 2a 00 00 00 13 30 04 00 ba 00 00 00 ee 00 00 11 12 00 0f 00 28 ce 00 00 0a 6b 0f 00 28 d2 00 00 0a 6b 28 96 07 00 0a 12 00 25 28 91 00 00 0a 04 5b 28 97 07 00 0a 12 00 25 28 93 00 00 0a 04 Data Ascii: ,o" {I,{Io",o"Ad(,DBR{c{d(N{c{d(*0(k(k(%([(%(
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 06 02 28 26 05 00 06 06 fe 06 af 0a 00 06 73 55 08 00 0a 28 c8 01 00 2b 2a 1e 02 7b 03 02 00 04 2a 22 02 03 7d 03 02 00 04 2a 1e 02 7b 04 02 00 04 2a 22 02 03 7d 04 02 00 04 2a 1e 02 7b 05 02 00 04 2a 22 02 03 7d 05 02 00 04 2a 1e 02 7b 06 02 00 04 2a 22 02 03 7d 06 02 00 04 2a 1e 02 7b 07 02 00 04 2a 22 02 03 7d 07 02 00 04 2a 1e 02 7b 08 02 00 04 2a 22 02 03 7d 08 02 00 04 2a 1e 02 7b 09 02 00 04 2a 22 02 03 7d 09 02 00 04 2a 1e 02 7b 0a 02 00 04 2a 22 02 03 7d 0a 02 00 04 2a 1e 02 7b 0b 02 00 04 2a 22 02 03 7d 0b 02 00 04 2a 1e 02 7b 0c 02 00 04 2a 22 02 03 7d 0c 02 00 04 2a 1e 02 7b 0d 02 00 04 2a 22 02 03 7d 0d 02 00 04 2a 1e 02 7b 0e 02 00 04 2a 22 02 03 7d 0e 02 00 04 2a 1e 02 7b 0f 02 00 04 2a 22 02 03 7d 0f 02 00 04 2a 1e 02 7b 10 02 00 04 2a 22 Data Ascii: (&sU(+{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{"
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 00 02 6f e7 01 00 0a 28 c1 07 00 0a 2a 16 2a 3e 1f fe 73 e1 0b 00 06 25 02 7d 28 06 00 04 2a 00 13 30 05 00 aa 01 00 00 47 01 00 11 02 6f 93 09 00 0a 8d 4d 02 00 01 0a 02 6f 93 09 00 0a 8d 2a 02 00 01 0b 02 6f 93 09 00 0a 0c 04 4a 0d 04 4a 13 04 16 13 05 04 16 54 16 13 06 2b 5e 06 11 06 03 02 11 06 6f 94 09 00 0a 16 6f 95 09 00 0a 9e 09 2c 1c 02 11 06 6f 94 09 00 0a 75 25 00 00 02 13 07 11 07 2c 26 11 07 6f a7 01 00 06 2c 1d 07 11 06 17 9c 08 17 59 0c 11 04 06 11 06 94 59 13 04 04 04 4a 06 11 06 94 58 54 2b 09 11 05 06 11 06 94 58 13 05 11 06 17 58 13 06 11 06 02 6f 93 09 00 0a 32 98 38 04 01 00 00 11 04 6b 11 05 6b 5b 13 08 17 13 09 16 13 05 16 13 0a 08 13 0b 11 04 13 0c 2b 77 07 11 0a 91 2d 6b 11 0b 17 59 13 0b 11 09 2c 52 11 0b 2c 0b 06 11 0a 94 6b 11 Data Ascii: o(*>s%}(0GoMo*oJJT+^oo,ou%,&o,YYJXT+XXo28kk[+w-kY,R,k
2024-04-24 00:55:08 UTC	16384	IN	Data Raw: 28 48 00 00 0a 2a 00 00 13 30 05 00 66 01 00 00 88 01 00 11 04 16 6f ba 03 00 0a 02 7b ec 02 00 04 6f 8c 05 00 0a 6f fb 0a 00 0a 02 12 00 fe 15 f7 00 00 01 06 8c f7 00 00 01 28 5a 07 00 06 7e 88 02 00 04 25 2d 17 26 7e 81 02 00 04 fe 06 f4 06 00 06 73 fc 0a 00 0a 25 80 88 02 00 04 28 65 02 00 2b 26 02 12 01 fe 15 f8 00 00 01 07 8c f8 00 00 01 28 5b 07 00 06 02 7b ee 02 00 04 25 2d 16 26 02 02 fe 06 5c 07 00 06 73 fc 0a 00 0a 25 0c 7d ee 02 00 04 08 28 66 02 00 2b 26 02 12 03 fe 15 f9 00 00 01 09 8c f9 00 00 01 28 5b 07 00 06 26 02 12 04 fe 15 fa 00 00 01 11 04 8c fa 00 00 01 28 5b 07 00 06 26 17 13 05 73 5f 07 00 06 13 06 72 d8 46 00 70 12 05 28 ef 05 00 0a 72 5e 3c 00 70 28 4f 04 00 0a 16 28 26 01 00 0a 13 07 11 07 28 a8 00 00 0a 2d 6a 11 05 17 33 16 02 Data Ascii: (H*0fo{oo(Z~%-&~s%(e+&([{%-&\s%}(f+&([&([&s_rFp(r^<p(O(&(-j3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49735	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:09 UTC	129	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-04-24 00:55:10 UTC	241	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1716224 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:09 GMT Connection: close
2024-04-24 00:55:10 UTC	16143	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0e 4c 8a 9b 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 28 1a 00 00 06 00 00 00 00 00 00 16 46 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 6c 63 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL" 0(F ` lc@
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 34 02 00 06 26 08 7b e6 01 00 04 28 34 02 00 06 26 dc 08 7b e8 01 00 04 28 d0 01 00 0a 2a 00 00 00 01 10 00 00 02 00 7a 00 2d a7 00 2a 00 00 00 00 1b 30 05 00 09 01 00 00 3b 00 00 11 12 00 fe 15 c7 00 00 01 7e a9 00 00 04 25 2d 13 26 14 fe 06 6c 01 00 06 73 ec 01 00 0a 25 80 a9 00 00 04 7e aa 00 00 04 25 2d 13 26 14 fe 06 6d 01 00 06 73 72 01 00 0a 25 80 aa 00 00 04 02 16 16 8d d4 00 00 01 28 2e 00 00 2b 0b 03 25 2d 06 26 73 ed 01 00 0a 73 ee 01 00 0a 0c 07 28 3b 00 00 06 28 f6 00 00 06 6f ef 01 00 0a 0d 2b 34 12 03 28 f0 01 00 0a 72 cb 04 00 70 28 f1 01 00 0a 18 6f f2 01 00 0a 25 16 9a 13 04 17 9a 13 05 08 11 04 6f f3 01 00 0a 2d 0a 08 11 04 11 05 6f f4 01 00 0a 12 03 28 f5 01 00 0a 2d c3 de 0e 12 03 fe 16 50 00 00 1b 6f 11 00 00 0a dc 08 7e b3 00 00 04 Data Ascii: 4&{(4&{(z-0;~%-&ls%~%-&msr%(.+%-&ss(;(o+4(rp(o%o-o(-Po~
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 00 00 20 bf 00 00 00 1f 14 1f 21 20 c9 00 00 00 1f 39 73 20 03 00 0a 1a 28 83 03 00 06 80 f9 03 00 04 20 67 c5 52 6f 20 60 03 00 00 20 d2 4b 00 00 20 96 00 00 00 1f 17 20 cc 00 00 00 20 bf 00 00 00 1f 14 1f 21 20 c9 00 00 00 1f 39 73 20 03 00 0a 18 28 83 03 00 06 80 fa 03 00 04 20 67 c5 52 6f 20 60 03 00 00 20 d2 4b 00 00 20 96 00 00 00 1f 17 20 cc 00 00 00 20 bf 00 00 00 1f 14 1f 21 20 c9 00 00 00 1f 39 73 20 03 00 0a 1b 28 83 03 00 06 80 fb 03 00 04 20 67 c5 52 6f 20 60 03 00 00 20 d2 4b 00 00 20 96 00 00 00 1f 17 20 cc 00 00 00 20 bf 00 00 00 1f 14 1f 21 20 c9 00 00 00 1f 39 73 20 03 00 0a 1f 09 28 83 03 00 06 80 fc 03 00 04 20 67 c5 52 6f 20 60 03 00 00 20 d2 4b 00 00 20 96 00 00 00 1f 17 20 cc 00 00 00 20 bf 00 00 00 1f 14 1f 21 20 c9 00 00 00 1f 39 Data Ascii: ! 9s ( gRo ` K ! 9s ( gRo ` K ! 9s ( gRo ` K ! 9s ( gRo ` K ! 9
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 22 00 00 00 00 81 08 ca 49 10 00 10 00 c3 22 00 00 00 00 e6 01 79 55 01 00 11 00 e0 22 00 00 00 00 86 18 be 94 01 00 11 00 9c 23 00 00 00 00 91 00 8e 69 85 24 11 00 68 24 00 00 00 00 91 00 3a 55 90 24 14 00 7d 24 00 00 00 00 91 18 e9 94 96 24 16 00 89 24 00 00 00 00 81 00 29 0a 9a 24 16 00 92 24 00 00 00 00 86 08 ec 44 f3 04 17 00 9a 24 00 00 00 00 81 08 f7 44 f1 02 17 00 a3 24 00 00 00 00 86 08 f6 37 3d 00 18 00 ab 24 00 00 00 00 81 08 05 38 15 00 18 00 b4 24 00 00 00 00 86 08 3d 33 a0 24 19 00 bc 24 00 00 00 00 81 08 4d 33 a9 24 19 00 c8 24 00 00 00 00 c6 00 15 a2 b3 24 1a 00 f8 24 00 00 00 00 c6 00 1f 3f 89 01 1b 00 13 25 00 00 00 00 96 08 3c c9 b8 24 1b 00 1c 25 00 00 00 00 96 08 48 c9 b8 24 1d 00 28 25 00 00 00 00 96 00 e5 55 c0 24 1f 00 4b 25 00 00 Data Ascii: "I"yU"#i$h$:U$}$$$)$$D$D$7=$8$=3$$M3$$$$?%<$%H$(%U$K%
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 65 00 00 02 00 cd c8 00 00 03 00 0b 6a 00 00 01 00 eb 4a 00 00 02 00 d8 57 10 10 03 00 42 98 00 00 01 00 eb 4a 00 00 02 00 d8 57 00 00 03 00 06 71 10 10 04 00 42 98 00 00 01 00 eb 4a 00 00 02 00 d8 57 00 00 01 00 86 45 00 00 01 00 c1 15 00 00 02 00 00 b4 00 00 03 00 96 31 00 00 01 00 49 3c 00 00 01 00 ba 6e 00 00 01 00 ba 6e 00 00 01 00 ba 6e 00 00 02 00 f4 9a 00 00 01 00 ba 6e 00 00 02 00 d3 c0 00 00 01 00 a3 8d 00 00 01 00 b9 60 10 10 02 00 ad c5 00 00 01 00 dd 9d 10 10 02 00 ad c5 00 00 01 00 df 9d 10 10 02 00 ad c5 00 00 01 00 df 9d 10 10 02 00 ad c5 00 00 01 00 fa c3 00 00 02 00 be 64 00 00 03 00 36 4b 00 00 01 00 be 64 00 00 02 00 36 4b 00 00 01 00 be 64 00 00 02 00 36 4b 00 00 01 00 1e 35 00 00 02 00 cf 57 00 00 03 00 4d 7d 00 00 01 00 df 47 00 00 Data Ascii: ejJWBJWqBJWE1I<nnnn`d6Kd6Kd6K5WM}G
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 1a 08 00 c0 0e 29 1a 08 00 c4 0e 72 1b 08 00 c8 0e 9a 1b 08 00 cc 0e 92 1e 09 00 d4 0e 1f 1a 09 00 d8 0e 24 1a 09 00 dc 0e ee 1c 09 00 e4 0e 1f 1a 09 00 e8 0e 24 1a 09 00 ec 0e 29 1a 09 00 f4 0e 7c 1b 09 00 f8 0e ee 1c 09 00 fc 0e d0 1c 09 00 00 0f 97 1e 09 00 04 0f 9c 1e 09 00 08 0f 0c 1d 09 00 0c 0f a1 1e 09 00 10 0f a6 1e 09 00 14 0f ab 1e 09 00 18 0f b0 1e 09 00 1c 0f b5 1e 09 00 20 0f ba 1e 09 00 24 0f bf 1e 09 00 28 0f c4 1e 09 00 60 0f 24 1a 09 00 68 0f 29 1a 09 00 6c 0f 72 1b 09 00 74 0f 1f 1e 09 00 78 0f 24 1a 09 00 7c 0f e8 1d 09 00 84 0f 24 1a 09 00 88 0f 29 1a 09 00 8c 0f 72 1b 09 00 90 0f 77 1b 09 00 94 0f 7c 1b 09 00 98 0f 81 1b 09 00 9c 0f 86 1b 09 00 a0 0f 8b 1b 09 00 a4 0f c9 1e 09 00 a8 0f b7 1c 08 00 d0 0f c5 1b 08 00 d4 0f 77 1b 08 00 Data Ascii: )r$$)\| $(`$h)lrtx$\|$)rw\|w
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 64 53 65 73 73 69 6f 6e 49 44 00 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 00 61 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 00 69 6d 70 65 72 73 6f 6e 61 74 65 54 6f 6b 65 6e 46 72 6f 6d 53 65 73 73 69 6f 6e 49 44 00 73 65 74 5f 4c 6f 67 6f 6e 53 65 73 73 69 6f 6e 49 44 00 6c 6f 67 6f 6e 53 65 73 73 69 6f 6e 49 44 00 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 53 65 73 73 69 6f 6e 49 44 00 47 65 74 53 65 73 73 69 6f 6e 49 44 00 55 6e 6b 6e 6f 77 6e 43 6c 69 65 6e 74 53 65 73 73 69 6f 6e 49 44 00 3c 3e 33 5f 5f 73 65 73 73 69 6f 6e 49 44 00 67 65 74 5f 43 75 72 73 6f 72 49 44 00 70 43 6c 61 73 73 49 44 00 47 65 74 43 6c 61 73 73 49 44 00 70 72 6f 63 65 73 73 49 44 00 64 77 4f 62 6a 65 63 74 49 44 Data Ascii: dSessionIDGetActiveConsoleSessionIDactiveConsoleSessionIDimpersonateTokenFromSessionIDset_LogonSessionIDlogonSessionIDGetCurrentProcessSessionIDGetSessionIDUnknownClientSessionID<>3__sessionIDget_CursorIDpClassIDGetClassIDprocessIDdwObjectID
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 63 61 73 74 44 65 6c 65 67 61 74 65 00 64 6d 43 6f 6c 6c 61 74 65 00 54 65 72 6d 69 6e 61 74 65 00 49 6d 70 65 72 73 6f 6e 61 74 65 00 53 61 66 65 45 6e 75 6d 65 72 61 74 65 00 43 72 65 61 74 65 4c 6f 67 69 63 61 6c 54 68 72 65 61 64 53 74 61 74 65 00 44 65 6c 65 74 65 4c 6f 67 69 63 61 6c 54 68 72 65 61 64 53 74 61 74 65 00 53 77 69 74 63 68 49 6e 4c 6f 67 69 63 61 6c 54 68 72 65 61 64 53 74 61 74 65 00 53 77 69 74 63 68 4f 75 74 4c 6f 67 69 63 61 6c 54 68 72 65 61 64 53 74 61 74 65 00 47 65 74 4b 65 79 62 6f 61 72 64 53 74 61 74 65 00 66 53 74 61 74 65 00 47 65 74 53 74 72 65 61 6d 53 74 61 74 65 00 47 65 74 53 65 73 73 69 6f 6e 43 6f 6e 6e 65 63 74 69 6f 6e 53 74 61 74 65 00 63 6f 6e 6e 65 63 74 69 6f 6e 53 74 61 74 65 00 53 65 74 54 68 72 65 61 64 45 Data Ascii: castDelegatedmCollateTerminateImpersonateSafeEnumerateCreateLogicalThreadStateDeleteLogicalThreadStateSwitchInLogicalThreadStateSwitchOutLogicalThreadStateGetKeyboardStatefStateGetStreamStateGetSessionConnectionStateconnectionStateSetThreadE
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 73 00 47 72 61 70 68 69 63 73 00 44 6c 6c 43 68 61 72 61 63 74 65 72 69 73 74 69 63 73 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 70 72 6f 63 65 73 73 49 64 73 00 64 6d 46 69 65 6c 64 73 00 52 75 6e 43 6f 6d 6d 61 6e 64 4c 69 6e 65 43 6f 6d 6d 61 6e 64 73 00 67 65 74 5f 4b 65 65 70 41 6c 69 76 65 54 69 6d 65 53 65 63 6f 6e 64 73 00 47 65 74 4b 65 65 70 41 6c 69 76 65 54 69 6d 65 53 65 63 6f 6e 64 73 00 67 65 74 5f 41 70 70 6c 69 63 61 74 69 6f 6e 50 69 6e 67 54 69 6d 65 53 65 63 6f 6e 64 73 00 67 65 74 5f 43 6c 69 65 6e 74 43 6f 6e 6e 65 63 74 69 6f 6e 4c 69 6d 69 74 50 65 72 69 6f 64 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 00 47 65 74 43 6c 69 65 6e 74 43 6f 6e 6e 65 63 74 69 6f 6e 4c 69 6d 69 74 50 65 72 69 6f 64 4d 69 6c 6c 69 73 65 63 6f Data Ascii: sGraphicsDllCharacteristicsSystem.DiagnosticsprocessIdsdmFieldsRunCommandLineCommandsget_KeepAliveTimeSecondsGetKeepAliveTimeSecondsget_ApplicationPingTimeSecondsget_ClientConnectionLimitPeriodMillisecondsGetClientConnectionLimitPeriodMilliseco
2024-04-24 00:55:10 UTC	16384	IN	Data Raw: 20 00 73 00 65 00 74 00 3f 00 00 03 2a 00 00 0f 57 00 69 00 6e 00 73 00 74 00 61 00 30 00 00 11 57 00 69 00 6e 00 6c 00 6f 00 67 00 6f 00 6e 00 00 1d 45 00 78 00 65 00 63 00 75 00 74 00 61 00 62 00 6c 00 65 00 50 00 61 00 74 00 68 00 00 17 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 00 05 5c 00 5c 00 00 47 54 00 72 00 75 00 6e 00 63 00 61 00 74 00 65 00 64 00 20 00 6f 00 75 00 74 00 70 00 75 00 74 00 20 00 61 00 74 00 20 00 7b 00 30 00 7d 00 20 00 63 00 68 00 61 00 72 00 61 00 63 00 74 00 65 00 72 00 73 00 2e 00 00 15 70 00 6f 00 77 00 65 00 72 00 73 00 68 00 65 00 6c 00 6c 00 00 05 70 00 73 00 00 09 72 00 75 00 6e 00 2e 00 00 07 63 00 6d 00 64 00 00 07 70 00 73 00 31 00 00 0f 63 00 6d 00 64 00 2e 00 65 00 78 00 65 00 00 4b 57 00 69 Data Ascii: set?*Winsta0WinlogonExecutablePathCommandLine\\GTruncated output at {0} characters.powershellpsrun.cmdps1cmd.exeKWi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49736	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:11 UTC	102	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip
2024-04-24 00:55:12 UTC	240	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 531456 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:11 GMT Connection: close
2024-04-24 00:55:12 UTC	16144	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1e 04 dc d5 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 14 08 00 00 06 00 00 00 00 00 00 86 2f 08 00 00 20 00 00 00 40 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 08 00 00 02 00 00 f3 38 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0/ @ 8@
2024-04-24 00:55:12 UTC	16384	IN	Data Raw: 02 00 06 07 8e 69 1c 31 0e 06 07 1c 9a 28 ec 03 00 06 6f 2b 02 00 06 07 8e 69 1d 31 17 06 07 1d 9a 16 28 23 00 00 2b 0c 12 02 28 72 01 00 0a 6f 31 02 00 06 07 8e 69 1e 31 0e 06 07 1e 9a 28 ec 03 00 06 6f 29 02 00 06 06 06 6f 22 02 00 06 2c 09 06 6f 22 02 00 06 8e 2d 03 18 2b 01 17 6f 19 02 00 06 05 2c 27 05 7e 0b 05 00 04 25 2d 13 26 14 fe 06 4e 02 00 06 73 6d 01 00 0a 25 80 0b 05 00 04 28 22 00 00 2b 06 28 47 02 00 06 06 2a 2e 73 14 02 00 06 80 8c 00 00 04 2a 00 1b 30 04 00 a0 00 00 00 38 00 00 11 02 2d 0b 72 b6 03 00 70 73 73 01 00 0a 7a 02 6f 1a 02 00 06 28 70 01 00 0a 2c 0b 72 d2 03 00 70 73 73 01 00 0a 7a 02 6f 1c 02 00 06 2d 0b 72 02 04 00 70 73 73 01 00 0a 7a 02 6f 20 02 00 06 28 93 03 00 06 2c 0b 72 32 04 00 70 73 73 01 00 0a 7a 02 6f 16 02 00 06 Data Ascii: i1(o+i1(#+(ro1i1(o)o",o"-+o,'~%-&Nsm%("+(G.s08-rpsszo(p,rpsszo-rpsszo (,r2psszo
2024-04-24 00:55:12 UTC	16384	IN	Data Raw: 06 00 04 28 76 00 00 2b 06 fe 06 ab 0e 00 06 73 c6 02 00 0a 7e a7 05 00 04 25 2d 17 26 7e a2 05 00 04 fe 06 19 0e 00 06 73 c7 02 00 0a 25 80 a7 05 00 04 28 77 00 00 2b 2a 36 02 28 ef 03 00 06 03 28 f4 03 00 06 2a 36 02 28 78 00 00 2b 14 28 f4 03 00 06 2a 22 02 14 28 f4 03 00 06 2a 00 00 13 30 04 00 4b 00 00 00 00 00 00 00 02 7e a8 05 00 04 25 2d 17 26 7e a2 05 00 04 fe 06 1a 0e 00 06 73 c8 02 00 0a 25 80 a8 05 00 04 7e a9 05 00 04 25 2d 17 26 7e a2 05 00 04 fe 06 1b 0e 00 06 73 c9 02 00 0a 25 80 a9 05 00 04 28 79 00 00 2b 03 28 f4 03 00 06 2a 00 1b 30 02 00 8b 00 00 00 76 00 00 11 73 ca 02 00 0a 0a 17 0b 02 6f cb 02 00 0a 0c 2b 5f 08 6f cc 02 00 0a 0d 07 2c 04 16 0b 2b 0c 06 72 a3 0c 00 70 6f 16 02 00 0a 26 12 03 28 cd 02 00 0a 03 28 eb 03 00 06 13 04 06 Data Ascii: (v+s~%-&~s%(w+6((6(x+("(0K~%-&~s%~%-&~s%(y+(*0vso+_o,+rpo&((
2024-04-24 00:55:12 UTC	16384	IN	Data Raw: 02 00 0d 00 0a 17 00 07 00 00 00 00 1b 30 02 00 1e 00 00 00 92 00 00 11 02 8c 82 00 00 1b 0a 06 28 93 01 00 0a 03 02 6f 54 03 00 0a de 07 06 28 95 01 00 0a dc 2a 00 00 01 10 00 00 02 00 0d 00 09 16 00 07 00 00 00 00 2e 02 03 28 8e 00 00 2b 16 fe 01 2a 1b 30 04 00 36 00 00 00 17 00 00 11 04 0a 02 6f c4 00 00 0a 0b 2b 13 07 6f c5 00 00 0a 0c 03 06 25 17 58 0a 08 6f 38 04 00 0a 07 6f 11 00 00 0a 2d e5 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 04 59 2a 00 00 01 10 00 00 02 00 09 00 1f 28 00 0a 00 00 00 00 13 30 05 00 39 00 00 00 d1 00 00 11 03 14 28 cf 00 00 2b 26 02 6f c2 00 00 0a 0a 06 8d 83 00 00 1b 0b 16 0c 2b 19 07 08 03 02 08 6f c3 00 00 0a 08 6f 39 04 00 0a a4 83 00 00 1b 08 17 58 0c 08 06 32 e3 07 2a 00 00 00 1b 30 02 00 2f 00 00 00 aa 00 00 11 02 2c 2b Data Ascii: 0(oT(.(+06o+o%Xo8o-,oY(09(+&o+oo9X20/,+
2024-04-24 00:55:12 UTC	16384	IN	Data Raw: 72 14 15 00 70 02 28 c0 07 00 06 0a 12 00 28 dd 0a 00 06 1f 32 17 28 1a 05 00 06 28 7f 01 00 0a 2a 1e 02 28 3b 00 00 0a 2a 1e 02 7b 04 03 00 04 2a 22 02 03 7d 04 03 00 04 2a 1e 02 28 3b 00 00 0a 2a 1e 02 7b 05 03 00 04 2a 22 02 03 7d 05 03 00 04 2a 1e 02 7b 06 03 00 04 2a 22 02 03 7d 06 03 00 04 2a 1e 02 28 c6 07 00 06 2a 1e 02 7b 07 03 00 04 2a 22 02 03 7d 07 03 00 04 2a 1e 02 7b 08 03 00 04 2a 22 02 03 7d 08 03 00 04 2a 1e 02 7b 09 03 00 04 2a 22 02 03 7d 09 03 00 04 2a 1e 02 28 3b 00 00 0a 2a 1e 02 7b 0a 03 00 04 2a 22 02 03 7d 0a 03 00 04 2a 1e 02 28 3b 00 00 0a 2a 1e 02 7b 0b 03 00 04 2a 22 02 03 7d 0b 03 00 04 2a 1e 02 28 3b 00 00 0a 2a 1e 02 7b 13 03 00 04 2a 22 02 03 7d 13 03 00 04 2a 1e 02 7b 14 03 00 04 2a 22 02 03 7d 14 03 00 04 2a 1e 02 7b 15 Data Ascii: rp((2(((;{"}(;{"}{"}({"}{"}{"}(;{"}(;{"}(;{"}{"}*{
2024-04-24 00:55:13 UTC	16384	IN	Data Raw: 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 22 21 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 66 21 00 70 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 66 21 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 b6 21 00 70 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 b6 21 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 0e 22 00 70 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 0e 22 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 50 22 00 70 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 50 22 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 7e 22 00 70 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 7e 22 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 ac 22 00 70 6f ec 05 00 0a a5 e7 00 00 01 2a 4a 02 72 ac 22 00 70 03 8c e7 00 00 01 6f ed 05 00 0a 2a 46 02 72 Data Ascii: oJr"!poFrf!poJrf!poFr!poJr!poFr"poJr"poFrP"poJrP"poFr~"poJr~"poFr"poJr"poFr
2024-04-24 00:55:13 UTC	16384	IN	Data Raw: 0a 16 0c 2b 3e 03 25 1a 58 10 01 4a 0d 04 25 17 58 10 02 06 09 20 ff 00 00 00 5f 58 47 06 09 1e 63 20 ff 00 00 00 5f 58 47 1c 5a 58 06 09 1f 10 63 20 ff 00 00 00 5f 58 47 1f 24 5a 58 d2 52 08 17 58 0c 08 05 32 be 14 0b 2a 86 02 1c 8d ba 00 00 01 25 d0 41 04 00 04 28 c1 04 00 0a 7d 34 04 00 04 02 1e 16 03 28 d2 09 00 06 2a 13 30 06 00 8e 00 00 00 7e 01 00 11 02 7b 34 04 00 04 25 0b 2c 05 07 8e 69 2d 05 16 e0 0a 2b 09 07 16 8f ba 00 00 01 e0 0a 16 0c 2b 66 02 0e 05 0e 06 08 05 17 59 fe 01 28 d4 09 00 06 0e 05 0d 03 13 04 16 13 05 2b 3c 09 25 17 58 0d 47 13 06 11 04 25 1a 58 13 04 20 00 00 00 ff 06 11 06 1c 5d 58 47 60 06 11 06 1f 24 5d 1c 5b 58 47 1e 62 60 06 11 06 1f 24 5b 58 47 1f 10 62 60 54 11 05 17 58 13 05 11 05 04 32 bf 08 17 58 0c 03 0e 04 58 10 01 Data Ascii: +>%XJ%X _XGc _XGZXc _XG$ZXRX2%A(}4(0~{4%,i-++fY(+<%XG%X ]XG`$][XGb`$[XGb`TX2XX
2024-04-24 00:55:13 UTC	16384	IN	Data Raw: 00 00 00 00 1b 30 02 00 bf 00 00 00 87 01 00 11 02 7b 7f 08 00 0a 0b 07 45 03 00 00 00 07 00 00 00 47 00 00 00 92 00 00 00 16 0a dd 9d 00 00 00 02 15 7d 7f 08 00 0a 02 02 7b 82 08 00 0a 6f 15 00 00 0a 7d 83 08 00 0a 02 1f fd 7d 7f 08 00 0a 2b 26 02 7b 83 08 00 0a 6f 12 00 00 0a 0c 02 08 7d 84 08 00 0a 02 17 7d 7f 08 00 0a 17 0a de 5d 02 1f fd 7d 7f 08 00 0a 02 7b 83 08 00 0a 6f 11 00 00 0a 2d cd 02 28 81 08 00 0a 02 14 7d 83 08 00 0a 02 7c 85 08 00 0a 28 86 08 00 0a 2c 23 02 02 7c 85 08 00 0a 28 87 08 00 0a 7d 84 08 00 0a 02 18 7d 7f 08 00 0a 17 0a de 12 02 15 7d 7f 08 00 0a 16 0a de 07 02 28 88 08 00 0a dc 06 2a 00 01 10 00 00 04 00 00 00 b6 b6 00 07 00 00 00 00 6e 02 15 7d 7f 08 00 0a 02 7b 83 08 00 0a 2c 0b 02 7b 83 08 00 0a 6f 10 00 00 0a 2a 1e 02 7b Data Ascii: 0{EG}{o}}+&{o}}]}{o-(}\|(,#\|(}}}(n}{,{o{
2024-04-24 00:55:13 UTC	16384	IN	Data Raw: 0a 2b 07 16 73 3e 10 00 06 0a 06 02 7b 8f 07 00 04 7d 8e 07 00 04 06 2a 1e 02 28 45 10 00 06 2a 2e 73 48 10 00 06 80 92 07 00 04 2a 1e 02 28 3b 00 00 0a 2a 1e 03 6f 89 04 00 0a 2a 1e 02 28 3b 00 00 0a 2a 5e 03 6f 67 04 00 0a 02 7b 94 07 00 04 6f 67 04 00 0a 28 9e 04 00 0a 2a 7a 02 28 3b 00 00 0a 02 03 7d 96 07 00 04 02 28 2d 07 00 0a 6f 2e 07 00 0a 7d 98 07 00 04 2a 06 2a 00 00 00 13 30 06 00 67 01 00 00 08 00 00 11 02 7b 96 07 00 04 0a 06 45 05 00 00 00 02 00 00 00 8c 00 00 00 d9 00 00 00 0b 01 00 00 3d 01 00 00 16 2a 02 15 7d 96 07 00 04 02 28 19 01 00 0a 6f 8b 04 00 0a 73 83 04 00 0a 7d 99 07 00 04 02 02 7b 99 07 00 04 28 c7 0a 00 06 7d 9a 07 00 04 02 02 7b 9a 07 00 04 2d 2a 1f 1c 28 0a 0a 00 0a 18 8d b9 00 00 01 25 16 02 7b 99 07 00 04 6f 90 04 00 0a Data Ascii: +s>{}(E.sH(;o(;^og{og(z(;}(-o.}0g{E=}(os}{(}{-*(%{o
2024-04-24 00:55:13 UTC	16384	IN	Data Raw: 6f 49 00 00 ae 37 01 00 51 00 af 03 1f 09 01 01 00 00 35 25 00 00 ae 37 01 00 51 00 af 03 23 09 01 01 00 00 0a 2f 00 00 ae 37 01 00 51 00 af 03 27 09 01 01 00 00 7d 34 00 00 ae 37 01 00 51 00 af 03 2b 09 01 01 00 00 2c 37 00 00 ae 37 01 00 51 00 af 03 2f 09 01 01 00 00 22 39 00 00 ae 37 01 00 51 00 af 03 33 09 01 01 00 00 22 30 00 00 ae 37 01 00 51 00 af 03 37 09 01 01 00 00 4e 37 00 00 ae 37 01 00 51 00 af 03 3b 09 01 01 00 00 44 39 00 00 ae 37 01 00 51 00 af 03 3f 09 01 01 00 00 97 3a 00 00 ae 37 01 00 51 00 af 03 43 09 01 01 00 00 de 3b 00 00 ae 37 01 00 51 00 af 03 47 09 01 01 00 00 a6 34 00 00 ae 37 01 00 51 00 af 03 4b 09 01 01 00 00 40 37 00 00 ae 37 01 00 51 00 af 03 4f 09 01 01 00 00 36 39 00 00 ae 37 01 00 51 00 af 03 53 09 01 01 00 00 89 3a 00 Data Ascii: oI7Q5%7Q#/7Q'}47Q+,77Q/"97Q3"07Q7N77Q;D97Q?:7QC;7QG47QK@77QO697QS:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49737	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:14 UTC	104	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip
2024-04-24 00:55:14 UTC	240	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 192512 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:14 GMT Connection: close
2024-04-24 00:55:14 UTC	16144	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 52 ae 42 a5 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 e8 02 00 00 06 00 00 00 00 00 00 8a 06 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 f3 30 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELRB" 0 `0@
2024-04-24 00:55:14 UTC	16384	IN	Data Raw: 28 f0 02 00 06 2c 09 06 1f 20 6f 69 00 00 0a 26 06 1f 7d 6f 69 00 00 0a 26 06 6f 26 00 00 0a 2a 0a 16 2a 2e 02 03 28 f2 02 00 06 16 fe 01 2a 26 0f 00 03 28 f5 02 00 06 2a 0a 16 2a 5e 03 75 76 00 00 02 2c 0d 02 03 a5 76 00 00 02 28 f5 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 67 00 00 0a 0a 06 72 e9 0f 00 70 6f 68 00 00 0a 26 06 72 37 01 00 70 6f 68 00 00 0a 26 02 06 28 f7 02 00 06 2c 09 06 1f 20 6f 69 00 00 0a 26 06 1f 7d 6f 69 00 00 0a 26 06 6f 26 00 00 0a 2a 0a 16 2a 2e 02 03 28 f9 02 00 06 16 fe 01 2a 26 0f 00 03 28 fc 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fc 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 67 00 00 0a 0a 06 72 01 10 00 70 6f 68 00 00 0a 26 06 72 37 01 00 Data Ascii: (, oi&}oi&o&*.(&(^uv,v(0@sgrpoh&r7poh&(, oi&}oi&o&.(&(^uw,w(*0@sgrpoh&r7
2024-04-24 00:55:14 UTC	16384	IN	Data Raw: 28 fa 03 00 06 2d 0d 02 7b f3 00 00 04 28 af 00 00 0a 14 2a 00 02 16 28 03 04 00 06 02 7b f4 00 00 04 03 6f 99 01 00 0a 0a de 0e 26 02 7b f3 00 00 04 28 af 00 00 0a fe 1a 06 2a 00 01 10 00 00 00 00 21 00 16 37 00 0e 16 00 00 01 1b 30 02 00 1b 00 00 00 00 00 00 00 02 7b f4 00 00 04 03 6f cb 01 00 0a de 0c 02 7b f3 00 00 04 28 af 00 00 0a dc 2a 00 01 10 00 00 02 00 00 00 0e 0e 00 0c 00 00 00 00 1b 30 02 00 4d 00 00 00 4b 00 00 11 73 a2 04 00 06 0a 06 02 7d 5e 01 00 04 06 03 7d 5f 01 00 04 06 04 7d 60 01 00 04 02 7b f3 00 00 04 0b 07 28 aa 00 00 0a 02 28 fa 03 00 06 2c 13 06 fe 06 a3 04 00 06 73 dc 00 00 0a 14 28 02 02 00 0a 26 de 07 07 28 af 00 00 0a dc 2a 00 00 00 01 10 00 00 02 00 28 00 1d 45 00 07 00 00 00 00 13 30 02 00 7c 00 00 00 4c 00 00 11 02 7b f6 Data Ascii: (-{(({o&{(!70{o{(0MKs}^}_}`{((,s(&((E0\|L{
2024-04-24 00:55:14 UTC	16384	IN	Data Raw: de 62 b1 1e 01 00 bc 20 00 00 00 00 c6 00 de 27 b8 1e 02 00 0c 21 00 00 00 00 91 18 e4 62 c2 1e 03 00 8c 21 00 00 00 00 96 00 9e 3b c6 1e 03 00 24 22 00 00 00 00 96 00 1f 57 d2 1e 05 00 7e 22 00 00 00 00 96 00 d0 5c d9 1e 06 00 9c 22 00 00 00 00 96 00 27 20 e0 1e 07 00 04 23 00 00 00 00 96 00 b8 78 f1 1e 09 00 35 23 00 00 00 00 86 08 03 74 00 1f 0a 00 3d 23 00 00 00 00 86 08 0e 74 05 1f 0a 00 46 23 00 00 00 00 86 08 29 32 0b 1f 0b 00 4e 23 00 00 00 00 86 08 38 32 11 1f 0b 00 57 23 00 00 00 00 86 08 5b 2d a7 04 0c 00 5f 23 00 00 00 00 86 08 72 2d d4 04 0c 00 68 23 00 00 00 00 86 08 64 72 49 0b 0d 00 70 23 00 00 00 00 86 08 77 72 57 0b 0d 00 79 23 00 00 00 00 86 08 99 72 49 0b 0e 00 81 23 00 00 00 00 86 08 ad 72 57 0b 0e 00 8a 23 00 00 00 00 86 08 c6 52 a7 Data Ascii: b '!b!;$"W~"\"' #x5#t=#tF#)2N#82W#[-_#r-h#drIp#wrWy#rI#rW#R
2024-04-24 00:55:14 UTC	16384	IN	Data Raw: 04 04 4a bc 00 00 00 00 86 18 de 62 01 00 07 04 54 bc 00 00 00 00 83 00 f6 06 f7 2a 07 04 10 bd 00 00 00 00 86 18 de 62 01 00 09 04 18 bd 00 00 00 00 83 00 d4 02 04 2b 09 04 69 bd 00 00 00 00 83 00 85 04 04 2b 0b 04 86 bd 00 00 00 00 86 18 de 62 01 00 0d 04 8e bd 00 00 00 00 83 00 19 03 41 11 0d 04 9e bd 00 00 00 00 86 18 de 62 01 00 0e 04 a6 bd 00 00 00 00 83 00 e5 02 01 00 0e 04 d0 bd 00 00 00 00 91 18 e4 62 c2 1e 0e 04 dc bd 00 00 00 00 86 18 de 62 01 00 0e 04 e4 bd 00 00 00 00 83 00 8a 01 ce 2a 0e 04 f1 bd 00 00 00 00 86 18 de 62 01 00 0f 04 f9 bd 00 00 00 00 86 18 de 62 01 00 0f 04 01 be 00 00 00 00 83 00 03 07 0c 2b 0f 04 1a be 00 00 00 00 86 18 de 62 01 00 10 04 24 be 00 00 00 00 83 00 7b 04 04 2b 10 04 c1 be 00 00 00 00 c6 09 79 58 34 03 12 04 00 Data Ascii: JbTb+i+bAbbbbb+b${+yX4
2024-04-24 00:55:15 UTC	16384	IN	Data Raw: 6c 1a 00 2d 6b 00 6c 1a 20 2d 6b 00 6c 1a 40 2d 6b 00 6c 1a 60 2d 6b 00 6c 1a 80 2d 6b 00 6c 1a a0 2d 6b 00 6c 1a c0 2d 6b 00 6c 1a e0 2d 6b 00 6c 1a 00 2e 2a 00 47 2d 20 2e 2a 00 47 2d 20 2e 6b 00 6c 1a 40 2e 2a 00 47 2d 40 2e 6b 00 6c 1a 60 2e 6b 00 6c 1a 80 2e 6b 00 6c 1a a0 2e 6b 00 6c 1a c0 2e 6b 00 6c 1a e0 2e 6b 00 6c 1a 00 2f 6b 00 6c 1a 01 2f 6b 00 6c 1a 20 2f 6b 00 6c 1a 21 2f 6b 00 6c 1a 40 2f 2a 00 47 2d 40 2f 6b 00 6c 1a 41 2f 6b 00 6c 1a 60 2f 6b 00 6c 1a 80 2f 6b 00 6c 1a a0 2f 6b 00 6c 1a c0 2f 6b 00 6c 1a e0 2f 6b 00 6c 1a 00 30 6b 00 6c 1a 20 30 6b 00 6c 1a 40 30 6b 00 6c 1a 60 30 6b 00 6c 1a 80 30 6b 00 6c 1a a0 30 6b 00 6c 1a c0 30 6b 00 6c 1a e0 30 6b 00 6c 1a 00 31 6b 00 6c 1a 20 31 6b 00 6c 1a 21 31 83 00 d9 2d 40 31 6b 00 6c 1a 60 Data Ascii: l-kl -kl@-kl`-kl-kl-kl-kl-kl.G- .G- .kl@.G-@.kl`.kl.kl.kl.kl.kl/kl/kl /kl!/kl@/G-@/klA/kl`/kl/kl/kl/kl/kl0kl 0kl@0kl`0kl0kl0kl0kl0kl1kl 1kl!1-@1kl`
2024-04-24 00:55:15 UTC	16384	IN	Data Raw: 6b 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 43 72 65 64 65 6e 74 69 61 6c 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 53 6f 75 6e 64 4c 65 76 65 6c 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 53 63 72 65 65 6e 51 75 61 6c 69 74 79 4c 65 76 65 6c 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 54 6f 6f 6c 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 57 61 73 53 75 63 63 65 73 73 66 75 6c 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 44 6f 6d 61 69 6e 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 50 72 6f 74 6f 63 6f 6c 56 65 72 73 69 6f 6e 3e 6b 5f 5f 42 61 63 6b 69 6e 67 46 69 65 6c 64 00 3c 43 6c 69 65 6e 74 56 65 72 73 69 6f 6e 3e 6b 5f Data Ascii: k>k__BackingField<Credential>k__BackingField<SoundLevel>k__BackingField<ScreenQualityLevel>k__BackingField<Tool>k__BackingField<WasSuccessful>k__BackingField<Domain>k__BackingField<CredentialProviderProtocolVersion>k__BackingField<ClientVersion>k_
2024-04-24 00:55:15 UTC	16384	IN	Data Raw: 74 69 6f 6e 00 64 65 73 74 69 6e 61 74 69 6f 6e 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 65 64 4f 70 65 72 61 74 69 6f 6e 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 65 64 4f 70 65 72 61 74 69 6f 6e 00 67 65 74 5f 47 75 65 73 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 73 65 74 5f 47 75 65 73 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 47 65 74 47 75 65 73 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 67 75 65 73 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 67 65 74 5f 41 63 74 69 6f 6e 00 46 69 6c 65 41 63 74 69 6f 6e 00 67 65 74 5f 43 72 65 64 65 6e 74 69 61 6c 73 41 63 74 69 6f 6e 00 73 65 74 5f 43 72 65 64 65 6e 74 69 61 6c 73 41 63 74 69 6f 6e 00 53 65 63 75 72 69 74 79 41 63 74 69 6f 6e 00 6f 70 5f 53 75 62 74 72 61 63 74 69 6f 6e 00 42 Data Ascii: tiondestinationget_AuthenticatedOperationset_AuthenticatedOperationget_GuestConfigurationset_GuestConfigurationGetGuestConfigurationguestConfigurationget_ActionFileActionget_CredentialsActionset_CredentialsActionSecurityActionop_SubtractionB
2024-04-24 00:55:15 UTC	16384	IN	Data Raw: 00 61 00 6b 00 65 00 72 00 73 00 00 0f 48 00 65 00 61 00 64 00 73 00 65 00 74 00 00 17 50 00 6c 00 61 00 6e 00 74 00 72 00 6f 00 6e 00 69 00 63 00 73 00 00 0b 4a 00 61 00 62 00 72 00 61 00 00 15 53 00 6b 00 75 00 6c 00 6c 00 63 00 61 00 6e 00 64 00 79 00 00 15 53 00 65 00 6e 00 6e 00 68 00 65 00 69 00 73 00 65 00 72 00 00 0f 4a 00 61 00 77 00 62 00 6f 00 6e 00 65 00 00 57 52 00 65 00 6e 00 64 00 65 00 72 00 65 00 64 00 20 00 7b 00 30 00 7d 00 20 00 66 00 72 00 61 00 6d 00 65 00 73 00 20 00 61 00 74 00 20 00 73 00 65 00 67 00 6d 00 65 00 6e 00 74 00 20 00 70 00 6f 00 73 00 69 00 74 00 69 00 6f 00 6e 00 20 00 7b 00 31 00 7d 00 00 b3 dc e0 5d fb aa 6d 41 85 16 c3 82 11 51 9c 1a 00 03 20 00 01 04 20 01 01 08 05 20 01 01 11 15 04 20 01 01 0e 04 20 01 01 02 05 Data Ascii: akersHeadsetPlantronicsJabraSkullcandySennheiserJawboneWRendered {0} frames at segment position {1}]mAQ
2024-04-24 00:55:15 UTC	16384	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff e5 10 e8 47 00 00 00 10 74 52 4e 53 00 10 20 30 40 50 60 70 80 90 a0 b0 c0 d0 e0 f0 54 e0 a8 c8 00 00 02 47 49 44 41 54 78 da ed 58 c9 b2 a3 30 0c 94 30 ab 83 a1 ff ff 6b e7 90 37 55 b8 79 11 b2 21 97 19 eb 96 94 e9 2e 59 5b 5b 22 cd 9a 35 6b d6 ec bf b2 41 bf 8b bf 60 fd 2a fe 04 60 aa fd d8 e3 bb 6e c0 de 55 e2 27 cf a9 00 54 5e 92 26 b8 ce cd 00 c6 3a 7c 1f 81 24 60 d3 2a 7c 27 41 0f 60 ae c2 77 12 48 04 76 ad c1 87 33 bf ba 62 17 7e f0 3f 12 c4 f5 14 e7 22 17 34 01 30 62 10 81 98 7f b0 17 b9 f0 c6 d7 8f 04 9a 00 0c 4c b9 95 e2 cb 67 0f c2 ce d5 db 9d 28 af f1 0d 02 19 4e d5 fb 02 5e 85 f8 16 81 2c 5c bd 03 00 2d c3 37 09 64 e3 bc d9 7c 4d f5 80 6f 13 9c aa 77 31 ef 08 47 fb c1 b7 09 4e d5 1b cc 3b fa Data Ascii: GtRNS 0@P`pTGIDATxX00k7Uy!.Y[["5kA``nU'T^&:\|$`\|'A`wHv3b~?"40bLg(N^,\-7d\|Mow1GN;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49738	147.28.128.254	443	1048	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 00:55:15 UTC	111	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: marcile61.screenconnect.com Accept-Encoding: gzip
2024-04-24 00:55:16 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61952 Content-Type: text/html Server: ScreenConnect/23.9.10.8817-2370965207 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 24 Apr 2024 00:55:15 GMT Connection: close
2024-04-24 00:55:16 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c1 68 dd f0 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 ea 00 00 00 06 00 00 00 00 00 00 42 08 01 00 00 20 00 00 00 20 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 bc 6c 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELh" 0B `l@
2024-04-24 00:55:16 UTC	16384	IN	Data Raw: 0a 28 45 00 00 0a 07 28 c9 00 00 0a 6f 2b 02 00 0a 7e 28 00 00 0a 02 7b 5d 00 00 04 6f 2c 02 00 0a 28 45 00 00 0a 07 28 c9 00 00 0a 6f 2d 02 00 0a 7e 28 00 00 0a 6f 2e 02 00 0a de 07 06 28 31 00 00 0a dc 2a 00 00 01 10 00 00 02 00 17 00 ab c2 00 07 00 00 00 00 1e 02 28 1d 00 00 0a 2a 62 02 7b 5f 00 00 04 03 6f 2f 02 00 0a 1e 28 57 00 00 2b fe 01 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 25 00 00 00 24 00 00 11 73 a7 00 00 06 0a 06 03 7d 63 00 00 04 02 7b 60 00 00 04 06 fe 06 a8 00 00 06 73 30 02 00 0a 28 66 00 00 2b 2a 00 00 00 13 30 05 00 88 00 00 00 25 00 00 11 03 6f 31 02 00 0a 03 6f 05 02 00 0a 28 32 02 00 0a 2d 38 02 7b 61 00 00 04 03 6f 05 02 00 0a 6f 33 02 00 0a 2d 08 03 6f 05 02 00 0a 2b 23 03 6f 05 02 00 0a 72 6d 07 00 70 03 6f 34 Data Ascii: (E(o+~({]o,(E(o-~(o.(1(b{_o/(W+(0%$s}c{`s0(f+*0%o1o(2-8{aoo3-o+#ormpo4
2024-04-24 00:55:16 UTC	16384	IN	Data Raw: 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 32 30 5f 30 00 3c 3e 39 5f 5f 30 5f 30 00 3c 47 65 74 4c 6f 63 61 6c 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 47 72 6f 75 70 4e 61 6d 65 3e 62 5f 5f 30 5f 30 00 3c 52 75 6e 3e 62 5f 5f 30 5f 30 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 30 5f 30 00 3c 3e 39 5f 5f 31 31 5f 30 00 3c 47 65 74 4e 65 77 53 65 72 76 69 63 65 4e 61 6d 65 3e 62 5f 5f 31 31 5f 30 00 3c 54 72 79 47 65 74 55 73 65 72 45 78 70 69 72 61 74 69 6f 6e 54 69 6d 65 3e 62 5f 5f 31 31 5f 30 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 31 31 5f 30 00 3c 54 72 79 55 6e 69 6e 73 74 61 6c 6c 53 65 72 76 69 63 65 3e 62 5f 5f 32 31 5f 30 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 31 32 5f 30 00 3c 3e 39 5f 5f 32 Data Ascii: <>c__DisplayClass20_0<>9__0_0<GetLocalAdministratorsGroupName>b__0_0<Run>b__0_0<>c__DisplayClass0_0<>9__11_0<GetNewServiceName>b__11_0<TryGetUserExpirationTime>b__11_0<>c__DisplayClass11_0<TryUninstallService>b__21_0<>c__DisplayClass12_0<>9__2
2024-04-24 00:55:16 UTC	13039	IN	Data Raw: 3c 3e 32 5f 5f 63 75 72 72 65 6e 74 00 67 65 74 5f 49 73 55 73 65 72 41 6c 6c 6f 77 65 64 54 6f 52 65 71 75 69 72 65 43 6f 6e 73 65 6e 74 00 73 65 74 5f 49 73 55 73 65 72 41 6c 6c 6f 77 65 64 54 6f 52 65 71 75 69 72 65 43 6f 6e 73 65 6e 74 00 52 61 69 73 65 45 76 65 6e 74 00 67 65 74 5f 43 6c 69 65 6e 74 4c 61 75 6e 63 68 50 61 72 61 6d 65 74 65 72 73 43 6f 6e 73 74 72 61 69 6e 74 00 67 65 74 5f 43 6f 75 6e 74 00 47 65 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 00 48 61 6e 64 73 68 61 6b 65 54 69 6d 65 6f 75 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 00 67 65 74 5f 4c 61 73 74 4e 65 65 64 65 64 54 69 63 6b 43 6f 75 6e 74 00 73 65 74 5f 4c 61 73 74 4e 65 65 64 65 64 54 69 63 6b 43 6f 75 6e 74 00 63 75 72 72 65 6e 74 54 69 63 6b 43 6f 75 6e Data Ascii: <>2__currentget_IsUserAllowedToRequireConsentset_IsUserAllowedToRequireConsentRaiseEventget_ClientLaunchParametersConstraintget_CountGetMillisecondCountHandshakeTimeoutMillisecondCountget_LastNeededTickCountset_LastNeededTickCountcurrentTickCoun

Target ID:	0
Start time:	02:54:48
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\ScreenConnect.Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ScreenConnect.Client.exe"
Imagebase:	0x90000
File size:	86'304 bytes
MD5 hash:	88A8D150F1A63302DDC2D5114CFA5DF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:54:48
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x2cd52180000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.3084038750.000002CD540FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:54:49
Start date:	24/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:55:21
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe"
Imagebase:	0xca0000
File size:	587'040 bytes
MD5 hash:	5DEC65C4047DE914C78816B8663E3602
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000000.2420711709.0000000000CA2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000006.00000002.2446052274.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:55:21
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1"
Imagebase:	0xbf0000
File size:	95'520 bytes
MD5 hash:	DC615E9D8EC81CBF2E2452516373E5A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:55:22
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ci40ys-relay.screenconnect.com&p=443&s=f5fa31ab-3d6b-4ee5-bfb2-5ad29218d79d&k=BgIAAACkAABSU0ExAAgAAAEAAQD9W8zoNnWPJoC76yT2IsLormUE81mBMnaWjFNs3fZDUt%2fuPrvind%2f8vwd0BQl3L0KToJz0OEFRb9JGHP3C35cRcpSBwPza6Nz%2fkAsAH0ilFSAm8EWT2EeRPlbvdxwcDAiKBZ83L%2buWfTmIYPnucJuK3Ilz9SL%2ffGZRWRlZKvsfRj3gKzbvZ1GMSafa1764zjIi6OZySfgjZVNBAxrg21rNeq4Q4RYmuEHkOyZ0quLNNoGAclMpQWUsVu3cBwsmOWEqC%2fG4l1BxM563kpsC1GTA3rjAUmyvvkBXzg9HU7hKY%2bllFed5jp%2fhAgzJv6mqZQpOpRNIzwXj41kCzYdVD%2bu0&r=&i=Untitled%20Session" "1"
Imagebase:	0xbf0000
File size:	95'520 bytes
MD5 hash:	DC615E9D8EC81CBF2E2452516373E5A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:55:23
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BOZA6RRY.O1R\27GOBDJK.3ZX\scre..tion_25b0fbb6ef7eb094_0017.0009_5f48168e1f3e9187\ScreenConnect.WindowsClient.exe" "RunRole" "00bf8db2-e7be-4b91-a934-0cef64fa5596" "User"
Imagebase:	0x930000
File size:	587'040 bytes
MD5 hash:	5DEC65C4047DE914C78816B8663E3602
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	1566
Total number of Limit Nodes:	32

Executed Functions

Function 00091000 Relevance: 61.5, APIs: 28, Strings: 7, Instructions: 206
encryptionlibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32), ref: 00091015
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00091021
LocalAlloc.KERNEL32(00000000,00000208), ref: 0009106F
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 0009107E
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00091097
SetFilePointer.KERNELBASE(00000000,000000FC,00000000,00000002), ref: 000910AF
ReadFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 000910C4
LocalAlloc.KERNEL32(00000000,?), ref: 000910CB
SetFilePointer.KERNELBASE(?,?,00000000,00000002), ref: 000910DE
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 000910ED
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 000910F6
CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00091137
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,00000000,00000004), ref: 00091154
LocalAlloc.KERNEL32(00000000,00002000), ref: 00091184
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 0009119A
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 000911AA
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,?), ref: 000911BD
CertFreeCertificateContext.CRYPT32(00000000), ref: 000911C4
LocalFree.KERNEL32(00000000), ref: 000911D4
CryptMsgClose.CRYPT32(?), ref: 000911E2
LoadLibraryA.KERNELBASE(dfshim), ref: 000911EC
GetProcAddress.KERNEL32(00000000,?), ref: 000911F7
Sleep.KERNELBASE(00009C40), ref: 0009120D
CertDeleteCertificateFromStore.CRYPT32(?), ref: 0009122B
CertCloseStore.CRYPT32(?,00000000), ref: 0009123A
CloseHandle.KERNEL32(?), ref: 00091243
LocalFree.KERNEL32(?), ref: 0009124C
LocalFree.KERNEL32(?), ref: 00091251

Strings

atio, xrefs: 0009105E
@1#v, xrefs: 00091097
dfshim, xrefs: 000911E8, 000911EB
nW, xrefs: 00091065
kernel32, xrefs: 00091010
TrustedPublisher, xrefs: 000910EF
SetDefaultDllDirectories, xrefs: 0009101B

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: CertFileLocal$CertificateCryptFreeStore$AllocCloseContext$AddressCreateLibraryLoadParamPointerProcRead$DeleteFromHandleModuleNameObjectOpenQuerySleepSystem
String ID: @1#v$SetDefaultDllDirectories$TrustedPublisher$atio$dfshim$kernel32$nW
API String ID: 2284365583-2017335585
Opcode ID: 452e61e6594872ff9e581333f2452dabdcaa39d7d18d376b3a19a1027f0ebe95
Instruction ID: 9e7cf8788940235b6a1cf1d16700796fd7474531b0928d84c990ee05a40d39d7
Opcode Fuzzy Hash: 452e61e6594872ff9e581333f2452dabdcaa39d7d18d376b3a19a1027f0ebe95
Instruction Fuzzy Hash: E5715C71A40319ABFF109BE0ED4AFAEBBB9FF48B10F104015F615AA1E0D7B45905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000936B7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0009368D,?,000A02E8,0000000C,000937E4,?,00000002,00000000,?,00093FA6,00000003,000920DF,00091B33), ref: 000936D8
TerminateProcess.KERNEL32(00000000,?,0009368D,?,000A02E8,0000000C,000937E4,?,00000002,00000000,?,00093FA6,00000003,000920DF,00091B33), ref: 000936DF
ExitProcess.KERNEL32 ref: 000936F1

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 74b391f9ea08ca46fa9babe9c1fb27a763ef450cdb12f50b03ff26d541284a1b
Instruction ID: f38488f619a1bc054da27511e7fb42f8ffce9d0a18a7a6fdb4bbfdb2a8ed9a7a
Opcode Fuzzy Hash: 74b391f9ea08ca46fa9babe9c1fb27a763ef450cdb12f50b03ff26d541284a1b
Instruction Fuzzy Hash: 1CE08C31000208EFDF216F90EE0CA8A3B69FF80361F004014F9058A232CB3ADE62EF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00091950 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0009195C
IsDebuggerPresent.KERNEL32 ref: 00091A28
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00091A48
UnhandledExceptionFilter.KERNEL32(?), ref: 00091A52

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4caeb7e90c3b0149858d51e2d0ca3331aad4128cc3f0cb6bfcbc0b4c77c68a0c
Instruction ID: 8d4471eb04bbe4975e4a15dd1050a6538680293d9b0fdc6805e8ebc0cf944dbc
Opcode Fuzzy Hash: 4caeb7e90c3b0149858d51e2d0ca3331aad4128cc3f0cb6bfcbc0b4c77c68a0c
Instruction Fuzzy Hash: CF312775D453199BDF20DFA4D989BCDBBB8BF08300F1040AAE40DAB291EB755A84DF05

Uniqueness

Uniqueness Score: -1.00%

Function 000945B3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000946AB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000946B5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 000946C2

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 33195ab4c46aa66f7e2a1d3e25fed02d7ba4178c479228028086f98577272ff6
Instruction ID: 3819ae143bdd317cb4805702ce998b5aa629259a2fa12f615c9a6d7fc5d20878
Opcode Fuzzy Hash: 33195ab4c46aa66f7e2a1d3e25fed02d7ba4178c479228028086f98577272ff6
Instruction Fuzzy Hash: A131F374901218ABCF61DF68DD88BCDBBB8BF48310F1041DAE41CA6291EB749F859F45

Uniqueness

Uniqueness Score: -1.00%

Function 00094A8B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00094C1E

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: c092d74595042be4dbba15c9e95151fa5b66c2051f4aa6f3759d7e77c327210d
Instruction ID: 3494c1147e6784d40188e295ecad637fa5a751a3cdb777b85be3a46813a92f78
Opcode Fuzzy Hash: c092d74595042be4dbba15c9e95151fa5b66c2051f4aa6f3759d7e77c327210d
Instruction Fuzzy Hash: 4531E572900249AFDF648E79CC84EFB7BBDEB85314F0441A8F819D7252E630DD469B50

Uniqueness

Uniqueness Score: -1.00%

Function 0009A4D5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0009A4D0,?,?,00000008,?,?,0009A170,00000000), ref: 0009A702

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2099a6c48289285bda16124cac52f9f078a48e594165acccca2759ea73039b36
Instruction ID: 7761086328fb6f59979fcf852ee4f210f8c9673c8f10d252a306bd19150ff075
Opcode Fuzzy Hash: 2099a6c48289285bda16124cac52f9f078a48e594165acccca2759ea73039b36
Instruction Fuzzy Hash: 53B17031610608DFDB55CF28C48AB647BF0FF46364F298658E89ACF2A1C735D992DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00091C14 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00091C2A

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 81f4a3f4769d5d4403a6dcee1f1352e93151ae14a80b7bcffca7182353a4b44f
Instruction ID: 3665157973fb883d167ed2114f6406a265ce0a378b161cee82455b6c1ca3d019
Opcode Fuzzy Hash: 81f4a3f4769d5d4403a6dcee1f1352e93151ae14a80b7bcffca7182353a4b44f
Instruction Fuzzy Hash: E3517CB5B01A169FEB24CF95E8817EABBF0FB48350F14852AD416EB294D3B89940DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00091AE3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001AEF,00091331), ref: 00091AE8

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d6620e60328e5977262b9d97e65cd18326987ff29934be5701db4b6dd9601ed2
Instruction ID: 0bb60e79ccb767b1335e2c17a4a66fb2d345273e33250a9442ebf98901a8c9a9
Opcode Fuzzy Hash: d6620e60328e5977262b9d97e65cd18326987ff29934be5701db4b6dd9601ed2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 000968D6 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000968D6

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 71d33541d6b22fd61926f6b16e290389b609c4b094fb380693102fd9e3bfb1a4
Instruction ID: 78d6528ac34a238a441bf596ff652249897a097db4a44efa7f84ee2400ee3198
Opcode Fuzzy Hash: 71d33541d6b22fd61926f6b16e290389b609c4b094fb380693102fd9e3bfb1a4
Instruction Fuzzy Hash: E6A022B0200200CFB3008F38BF0C30C3AE8FB0ABE0302803AA028C2030EB3C80808B00

Uniqueness

Uniqueness Score: -1.00%

Function 0009654A Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 0009658E

Part of subcall function 000960BB: _free.LIBCMT ref: 000960D8
Part of subcall function 000960BB: _free.LIBCMT ref: 000960EA
Part of subcall function 000960BB: _free.LIBCMT ref: 000960FC
Part of subcall function 000960BB: _free.LIBCMT ref: 0009610E
Part of subcall function 000960BB: _free.LIBCMT ref: 00096120
Part of subcall function 000960BB: _free.LIBCMT ref: 00096132
Part of subcall function 000960BB: _free.LIBCMT ref: 00096144
Part of subcall function 000960BB: _free.LIBCMT ref: 00096156
Part of subcall function 000960BB: _free.LIBCMT ref: 00096168
Part of subcall function 000960BB: _free.LIBCMT ref: 0009617A
Part of subcall function 000960BB: _free.LIBCMT ref: 0009618C
Part of subcall function 000960BB: _free.LIBCMT ref: 0009619E
Part of subcall function 000960BB: _free.LIBCMT ref: 000961B0

_free.LIBCMT ref: 00096583

Part of subcall function 000948A9: HeapFree.KERNEL32(00000000,00000000,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?), ref: 000948BF
Part of subcall function 000948A9: GetLastError.KERNEL32(?,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?,?), ref: 000948D1

_free.LIBCMT ref: 000965A5
_free.LIBCMT ref: 000965BA
_free.LIBCMT ref: 000965C5
_free.LIBCMT ref: 000965E7
_free.LIBCMT ref: 000965FA
_free.LIBCMT ref: 00096608
_free.LIBCMT ref: 00096613
_free.LIBCMT ref: 0009664B
_free.LIBCMT ref: 00096652
_free.LIBCMT ref: 0009666F
_free.LIBCMT ref: 00096687

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 140adea199e5f240289a4c5cce43abe548fcdafbbc05c47f4f0948ac1c780a6e
Instruction ID: 1b88950374e02dbc3593ee80a8db91be3e2b007eb14ed51478c965bc147760ec
Opcode Fuzzy Hash: 140adea199e5f240289a4c5cce43abe548fcdafbbc05c47f4f0948ac1c780a6e
Instruction Fuzzy Hash: 583168716047019FEF60AA39D845B9BB3E8AF40310F144C2AE459D7192EF76EC81EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00094370 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00094384

Part of subcall function 000948A9: HeapFree.KERNEL32(00000000,00000000,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?), ref: 000948BF
Part of subcall function 000948A9: GetLastError.KERNEL32(?,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?,?), ref: 000948D1

_free.LIBCMT ref: 00094390
_free.LIBCMT ref: 0009439B
_free.LIBCMT ref: 000943A6
_free.LIBCMT ref: 000943B1
_free.LIBCMT ref: 000943BC
_free.LIBCMT ref: 000943C7
_free.LIBCMT ref: 000943D2
_free.LIBCMT ref: 000943DD
_free.LIBCMT ref: 000943EB

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c0604a716e67f32658d1b95ae63c0a30e405f145773adf7773d820368e02036
Instruction ID: 2285e9b99c546b840cb982859744ad0ec33bd984471fadf67c9bfc9cd4a6e2f0
Opcode Fuzzy Hash: 8c0604a716e67f32658d1b95ae63c0a30e405f145773adf7773d820368e02036
Instruction Fuzzy Hash: C711B676514148FFCF01EF95D842CDE3BA9EF44350B5549A2FA088F223EA71DE51AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00097AF4 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,0009550B,00000000,?,?,?,00097D45,?,?,00000100), ref: 00097B4E
__alloca_probe_16.LIBCMT ref: 00097B86
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00097D45,?,?,00000100,5EFC4D8B,?,?), ref: 00097BD4
__alloca_probe_16.LIBCMT ref: 00097C6B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00097CCE
__freea.LIBCMT ref: 00097CDB

Part of subcall function 00096342: HeapAlloc.KERNEL32(00000000,?,00000004,?,00097E9B,?,00000000,?,000968B2,?,00000004,00000000,?,?,?,00093C0D), ref: 00096374

__freea.LIBCMT ref: 00097CE4
__freea.LIBCMT ref: 00097D09

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 0466ea5919ae96a24b9b9e0540e14cc0fe75a3427eddbd00bd57d481b694e27d
Instruction ID: b828912f7348233e2ba6135f7f55c10cb53da47e1aefd94b29eb5dadf1f3237d
Opcode Fuzzy Hash: 0466ea5919ae96a24b9b9e0540e14cc0fe75a3427eddbd00bd57d481b694e27d
Instruction Fuzzy Hash: C851C2B3624216ABEF258F64CC81FAF77A9EF44750F25422DFD08D6181EB34DC50A690

Uniqueness

Uniqueness Score: -1.00%

Function 00098459 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00098BCE,?,00000000,?,00000000,00000000), ref: 0009849B
__fassign.LIBCMT ref: 00098516
__fassign.LIBCMT ref: 00098531
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00098557
WriteFile.KERNEL32(?,?,00000000,00098BCE,00000000,?,?,?,?,?,?,?,?,?,00098BCE,?), ref: 00098576
WriteFile.KERNEL32(?,?,00000001,00098BCE,00000000,?,?,?,?,?,?,?,?,?,00098BCE,?), ref: 000985AF

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 90ea0ddfaa79db9a342dbd0b44f67605dce3e48c81a1b56d66a22a03885b720d
Instruction ID: ed3f67dc2eba9e1feb52ef1ce48056caae0f84133632f9147129e80ababbb1fe
Opcode Fuzzy Hash: 90ea0ddfaa79db9a342dbd0b44f67605dce3e48c81a1b56d66a22a03885b720d
Instruction Fuzzy Hash: 73518171A006499FDF10CFA8D845AEEBBF8EF0A310F15811AE555E7291EB349944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00091E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 00091E77
___except_validate_context_record.LIBVCRUNTIME ref: 00091E7F
_ValidateLocalCookies.LIBCMT ref: 00091F08
__IsNonwritableInCurrentImage.LIBCMT ref: 00091F33
_ValidateLocalCookies.LIBCMT ref: 00091F88

Strings

csm, xrefs: 00091F1D

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 80924fab37c6892012e6d8bbb20e915fdfd72ffef66c8fc18152ed6be7354a3a
Instruction ID: 309b20a4b1f9129f65dffb7591df29118ecfaa306995efd720e87b5070d1d2c2
Opcode Fuzzy Hash: 80924fab37c6892012e6d8bbb20e915fdfd72ffef66c8fc18152ed6be7354a3a
Instruction Fuzzy Hash: D141D234B0020AABCF10DF68C891AEEBBF5BF45364F148065E8199B392C735AE01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0009625E Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00096222: _free.LIBCMT ref: 0009624B

_free.LIBCMT ref: 000962AC

Part of subcall function 000948A9: HeapFree.KERNEL32(00000000,00000000,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?), ref: 000948BF
Part of subcall function 000948A9: GetLastError.KERNEL32(?,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?,?), ref: 000948D1

_free.LIBCMT ref: 000962B7
_free.LIBCMT ref: 000962C2
_free.LIBCMT ref: 00096316
_free.LIBCMT ref: 00096321
_free.LIBCMT ref: 0009632C
_free.LIBCMT ref: 00096337

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aa1bd751eb9540b54bfef75c3f5934118fb1474e201bfce698be932a34bfa36c
Instruction ID: f17cd6d5de19107f55a7076ee0713aa7ed4a250c3f32bcdd117e5dcb592716f4
Opcode Fuzzy Hash: aa1bd751eb9540b54bfef75c3f5934118fb1474e201bfce698be932a34bfa36c
Instruction Fuzzy Hash: 2A115171542B04BAED20BBB0DC47FCB7B9C9F04700F804C25B2AA66053DA67B5067751

Uniqueness

Uniqueness Score: -1.00%

Function 00092411 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00092408,000920DF,00091B33), ref: 0009241F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0009242D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00092446
SetLastError.KERNEL32(00000000,00092408,000920DF,00091B33), ref: 00092498

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a15fd5f8fd07d950e5680454abef3e3f6c4a87f1db5bb9eb0a3aa5f2ff38a7bc
Instruction ID: 4752d8125a028812b482a40fce484b1eec8c3dfe9a3187bb9eb1e77196f0a817
Opcode Fuzzy Hash: a15fd5f8fd07d950e5680454abef3e3f6c4a87f1db5bb9eb0a3aa5f2ff38a7bc
Instruction Fuzzy Hash: 8901D43750C7117EBE6427B4BC89EEB3BA4EB067B4B20023AF624910E6FF654C61B540

Uniqueness

Uniqueness Score: -1.00%

Function 00094464 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000008,?,00096DAC,?,?,?,000A04D0,0000002C,00093F74,00000016,000920DF,00091B33), ref: 00094468
_free.LIBCMT ref: 0009449B
_free.LIBCMT ref: 000944C3
SetLastError.KERNEL32(00000000), ref: 000944D0
SetLastError.KERNEL32(00000000), ref: 000944DC
_abort.LIBCMT ref: 000944E2

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 580c2e92dca260130f2f704ebd0819733f2ad604b514a81f430540db0db87b33
Instruction ID: dcd6e1c87e83ad47409bb6254a3d2e9a1678a2322cf7fa3f2c7481777caaa23d
Opcode Fuzzy Hash: 580c2e92dca260130f2f704ebd0819733f2ad604b514a81f430540db0db87b33
Instruction Fuzzy Hash: E4F0FC35904A4066EE62B7347C1AF9F366AAFC1771F254525F528D71D3FF6488037520

Uniqueness

Uniqueness Score: -1.00%

Function 0009373C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000936ED,?,?,0009368D,?,000A02E8,0000000C,000937E4,?,00000002), ref: 0009375C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0009376F
FreeLibrary.KERNEL32(00000000,?,?,?,000936ED,?,?,0009368D,?,000A02E8,0000000C,000937E4,?,00000002,00000000), ref: 00093792

Strings

CorExitProcess, xrefs: 00093767
mscoree.dll, xrefs: 00093755

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3e314ccdd95a040e8cbd75f7d790aa79896151104237602f6bd618234d314e9a
Instruction ID: 9d37478f3b8bc89c92943648dc326e3c4a6381d85f1cb92fae080b6acfa2aa39
Opcode Fuzzy Hash: 3e314ccdd95a040e8cbd75f7d790aa79896151104237602f6bd618234d314e9a
Instruction Fuzzy Hash: A9F04F70A05618BBDF119B90ED49BAEBFF5EB44762F004169F905A61A0DB744E40DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00096390 Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,0009550B,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 000963DD
__alloca_probe_16.LIBCMT ref: 00096415
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00096466
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00096478
__freea.LIBCMT ref: 00096481

Part of subcall function 00096342: HeapAlloc.KERNEL32(00000000,?,00000004,?,00097E9B,?,00000000,?,000968B2,?,00000004,00000000,?,?,?,00093C0D), ref: 00096374

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 7b0a0b27e718bafcacdd4e95ba6301dd64af5116f98b78aa502123ce0f89de67
Instruction ID: b5b8fff92500084c7a3e54858383f31fb886458ac0312b11b7d87d7fefaf4f7f
Opcode Fuzzy Hash: 7b0a0b27e718bafcacdd4e95ba6301dd64af5116f98b78aa502123ce0f89de67
Instruction Fuzzy Hash: A731AE72A0020AABDF259FA4DC85EEE7BA5EB40750F044229FC04D7151EB36DD50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00095661 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0009566A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009568D

Part of subcall function 00096342: HeapAlloc.KERNEL32(00000000,?,00000004,?,00097E9B,?,00000000,?,000968B2,?,00000004,00000000,?,?,?,00093C0D), ref: 00096374

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000956B3
_free.LIBCMT ref: 000956C6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000956D5

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 7195c5e1bae3f0dc2d1b99bbab6b36e97b9230e63f87670e697967876396d6ca
Instruction ID: 746c01ef4a6cc8de0c9c04e0ad1fe580fa1b2f5ebc300d76a0eee468d5083267
Opcode Fuzzy Hash: 7195c5e1bae3f0dc2d1b99bbab6b36e97b9230e63f87670e697967876396d6ca
Instruction Fuzzy Hash: FA018872605B157F6B2216A76D48C7F7A6DEBC2BA13540129F944C7151EEA48C01A6B0

Uniqueness

Uniqueness Score: -1.00%

Function 000944E8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0009483E,00097EB9,?,000968B2,?,00000004,00000000,?,?,?,00093C0D,?,00000000), ref: 000944ED
_free.LIBCMT ref: 00094522
_free.LIBCMT ref: 00094549
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00094556
SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 0009455F

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f42f185789090ce94abdcc96f365847ae45141cb26c16134f1940c10a861f1e6
Instruction ID: 9d025bed8f67b153ee0cc507c452c6cf3ec27336f8804a44e5ca7aaec9a4970c
Opcode Fuzzy Hash: f42f185789090ce94abdcc96f365847ae45141cb26c16134f1940c10a861f1e6
Instruction Fuzzy Hash: 4601A936104E4067AE1267B56C45E6F376EABD1775B220026F52592193FFA58D077120

Uniqueness

Uniqueness Score: -1.00%

Function 000961B9 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000961D1

Part of subcall function 000948A9: HeapFree.KERNEL32(00000000,00000000,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?), ref: 000948BF
Part of subcall function 000948A9: GetLastError.KERNEL32(?,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?,?), ref: 000948D1

_free.LIBCMT ref: 000961E3
_free.LIBCMT ref: 000961F5
_free.LIBCMT ref: 00096207
_free.LIBCMT ref: 00096219

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 89946844bb4b7b126a1cedd154694a422b8491fcb8ac7e2920afff740d4a5938
Instruction ID: 930a174fc55f7cc0d4e83dcdbdf404a5bfcfe39dc92bff267f1f3efd3674c916
Opcode Fuzzy Hash: 89946844bb4b7b126a1cedd154694a422b8491fcb8ac7e2920afff740d4a5938
Instruction Fuzzy Hash: 45F09632508A40AB8E60EB54F4D5C9F77D9AB51720B6D0C16F049D7502DF35FC805650

Uniqueness

Uniqueness Score: -1.00%

Function 00093DCF Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00093DED

Part of subcall function 000948A9: HeapFree.KERNEL32(00000000,00000000,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?), ref: 000948BF
Part of subcall function 000948A9: GetLastError.KERNEL32(?,?,00096250,?,00000000,?,00000000,?,00096277,?,00000007,?,?,000966E2,?,?), ref: 000948D1

_free.LIBCMT ref: 00093DFF
_free.LIBCMT ref: 00093E12
_free.LIBCMT ref: 00093E23
_free.LIBCMT ref: 00093E34

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46590d15d9cc171302667799e1c682de565c4e1ba76d7d253dfec9589c91138f
Instruction ID: b17888305e86ce37905afab8aa26cf7af7eedc3a799c4ad8aeb941493a8d6f63
Opcode Fuzzy Hash: 46590d15d9cc171302667799e1c682de565c4e1ba76d7d253dfec9589c91138f
Instruction Fuzzy Hash: 42F01778C14A609BBF156F28FC8288E3B61B716760B000A67F41252272DB780942ABC0

Uniqueness

Uniqueness Score: -1.00%

Function 00092F93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ScreenConnect.Client.exe,00000104), ref: 00092FD3
_free.LIBCMT ref: 0009309E
_free.LIBCMT ref: 000930A8

Strings

C:\Users\user\Desktop\ScreenConnect.Client.exe, xrefs: 00092FCA, 00092FD1, 00093000, 00093038

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ScreenConnect.Client.exe
API String ID: 2506810119-1791919889
Opcode ID: 7e9b3996f02446c08c4d784128425dcd16e5b1645169c6ca851bd58d605e1139
Instruction ID: 28ab3fa0c5a8ae18edad58ff877167d64d2b982b313ff25fd85e241830aaac28
Opcode Fuzzy Hash: 7e9b3996f02446c08c4d784128425dcd16e5b1645169c6ca851bd58d605e1139
Instruction Fuzzy Hash: 14315A75A00218AFDF219F99DC85DEEBBFCEF85710F20406AF80597212D6758A41EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00092623 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,000925D4,00000000,?,000A1B10,?,?,?,00092777,00000004,InitializeCriticalSectionEx,0009BC48,InitializeCriticalSectionEx), ref: 00092630
GetLastError.KERNEL32(?,000925D4,00000000,?,000A1B10,?,?,?,00092777,00000004,InitializeCriticalSectionEx,0009BC48,InitializeCriticalSectionEx,00000000,?,00092507), ref: 0009263A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00092662

Strings

api-ms-, xrefs: 00092647

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 616f6930f6706f3038bb7062db7edda0538aa072310fd7c3a0982f973f0fec22
Instruction ID: ca45583cd13437796bb1c062ba1e27aff0e7ac541bd5d76e7d3d0ed979abd652
Opcode Fuzzy Hash: 616f6930f6706f3038bb7062db7edda0538aa072310fd7c3a0982f973f0fec22
Instruction Fuzzy Hash: 30E04F30680304B7EF601B60FD07F5A3FA9BB50B61F104021FA0DE84F1D7A6E954AA89

Uniqueness

Uniqueness Score: -1.00%

Function 00095820 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,000957C7,00000000,00000000,00000000,00000000,?,000959C4,00000006,FlsSetValue), ref: 00095852
GetLastError.KERNEL32(?,000957C7,00000000,00000000,00000000,00000000,?,000959C4,00000006,FlsSetValue,0009C4D8,FlsSetValue,00000000,00000364,?,00094536), ref: 0009585E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000957C7,00000000,00000000,00000000,00000000,?,000959C4,00000006,FlsSetValue,0009C4D8,FlsSetValue,00000000), ref: 0009586C

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b137fc7da45d57d77bb96047e584e2845b605cf05fee2304ec82e5fab27833a8
Instruction ID: 4c0dd5a244d88a816500af723f703f6d772fe53fa7da0e9b2604136baeede155
Opcode Fuzzy Hash: b137fc7da45d57d77bb96047e584e2845b605cf05fee2304ec82e5fab27833a8
Instruction Fuzzy Hash: FA01F732601B32ABDF324B6AAC4496B37D8FF457B2B200520F929F7150DB24D8019BE0

Uniqueness

Uniqueness Score: -1.00%

Function 000948FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00094A67

Part of subcall function 0009478D: IsProcessorFeaturePresent.KERNEL32(00000017,0009477C,00000000,?,00000004,00000000,?,?,?,?,00094789,00000000,00000000,00000000,00000000,00000000), ref: 0009478F
Part of subcall function 0009478D: GetCurrentProcess.KERNEL32(C0000417), ref: 000947B1
Part of subcall function 0009478D: TerminateProcess.KERNEL32(00000000), ref: 000947B8

Strings

*?, xrefs: 0009493E
., xrefs: 00094C1E

Memory Dump Source

Source File: 00000000.00000002.2100088119.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.2100070724.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100117744.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100137353.00000000000A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100156001.00000000000A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_ScreenConnect.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 4067b8579421d50c0dca506f7f6eb075366b24a2d0ed26a33fd87917b1f5dc63
Instruction ID: 2830014f071d1e371d9434f99dd95a785cf0d15e1e8b5215eced46ff261aca05
Opcode Fuzzy Hash: 4067b8579421d50c0dca506f7f6eb075366b24a2d0ed26a33fd87917b1f5dc63
Instruction Fuzzy Hash: EE519075E04219AFDF14CFA8C881AEEBBF5EF98314F24816AE454E7341E7319E029B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dfsvc.exePID: 1048, Parent PID: 4996COMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	474
Total number of Limit Nodes:	69

Executed Functions

Function 00007FFD348B1488 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2M_I, xrefs: 00007FFD348B1504
x]c, xrefs: 00007FFD348B16D0
c, xrefs: 00007FFD348B1733

Memory Dump Source

Source File: 00000002.00000002.3116293335.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348b0000_dfsvc.jbxd

Similarity

API ID:
String ID: 2M_I$c$x]c
API String ID: 0-398674058
Opcode ID: 1c15ef00bd0b980160e26edf9a534146c49cea1d3a4c51a1f652992a65e1abbe
Instruction ID: 711c1fe386cb01f2df0f3cdedacbbdac6ed38835ed87c69847c00fda63273f6d
Opcode Fuzzy Hash: 1c15ef00bd0b980160e26edf9a534146c49cea1d3a4c51a1f652992a65e1abbe
Instruction Fuzzy Hash: E7C12352B0EAC90FE756DB6C58AA2787BD1EF93350B1841FBD049CB197ED6CE8058381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348C1287 Relevance: 1.7, APIs: 1, Instructions: 204networkCOMMON

Download Yara Rule

APIs

InternetGetCookieW.WININET ref: 00007FFD348C13F6

Memory Dump Source

Source File: 00000002.00000002.3116293335.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348b0000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 2764ec2029fe090722acc21a48f023de467939a1297505a864e21f8f6d55aebd
Instruction ID: b5dcb48c7c49793fcafcd573eef27d9fc8865cca8e9e529cbfcae2f9ad4681c6
Opcode Fuzzy Hash: 2764ec2029fe090722acc21a48f023de467939a1297505a864e21f8f6d55aebd
Instruction Fuzzy Hash: 38618E30608A4D8FDB68DF28C8957E977E1FF59301F14826FD84EC7292CB78A9418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348B99F5 Relevance: 1.7, APIs: 1, Instructions: 170fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFD348B9B1C

Memory Dump Source

Source File: 00000002.00000002.3116293335.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd348b0000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6c1eeffe351f20fb4c2818c8b00bfacc8cf7082fc9bf75fcbbb6603b148cd241
Instruction ID: 1fdb92cf382273a9acf7ba6ce3ad31dd110b91a1a60fd120e8d9875f10cf6b06
Opcode Fuzzy Hash: 6c1eeffe351f20fb4c2818c8b00bfacc8cf7082fc9bf75fcbbb6603b148cd241
Instruction Fuzzy Hash: 8B518E7190CA5C8FDB68EF589845BE9BBE0FB59310F1442AEE04DD3252CB74A952CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD3479EF5F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3101438867.00007FFD3479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3479D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd3479d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d576015ee82a43e9c39d44f6ef5b3c3a9fe51ee706de8d2e34787aa7575db6
Instruction ID: b940c58a5491e8be9ed280a9e4d6c74cf9af0eb213f27b8367e762b40c4253ab
Opcode Fuzzy Hash: 94d576015ee82a43e9c39d44f6ef5b3c3a9fe51ee706de8d2e34787aa7575db6
Instruction Fuzzy Hash: 5D014B3261CE088F9BA8EF1EE485D5237E1FB98320710069BD41DC769AD635F892CBC1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ScreenConnect.WindowsClient.exePID: 528, Parent PID: 1048COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD348C82A4 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD348C83D2

Memory Dump Source

Source File: 00000006.00000002.2450426790.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348c0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: b93bd1cc6202f0bb7d19e1211e419a3dfbb62c50b0fbf197a3b232d1ac7c63df
Instruction ID: bf60ab83ce0637fc4521d474c30383049ed3bcc62221f4e071832de0cd45c63c
Opcode Fuzzy Hash: b93bd1cc6202f0bb7d19e1211e419a3dfbb62c50b0fbf197a3b232d1ac7c63df
Instruction Fuzzy Hash: 49411A31D0CB484FE725ABA8985A5F9BBE0EF56311F04017FE489C3293DE68A846C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348CF2BB Relevance: 1.7, APIs: 1, Instructions: 176
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFD348CF3EC

Memory Dump Source

Source File: 00000006.00000002.2450426790.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348c0000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f18444e7dd8f6d1874ac3ffc564557dac8deec3b9b31614a9ab017205b1e197
Instruction ID: 9149c20242a93301c5007fb6118748b9e0f0657354ab6e63f6a8c0b95838eec6
Opcode Fuzzy Hash: 6f18444e7dd8f6d1874ac3ffc564557dac8deec3b9b31614a9ab017205b1e197
Instruction Fuzzy Hash: CA51A17190CA5C8FDB68DF58D845BA9BBE0FB69310F1441AED14DD3252CB34A885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348C461C Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE ref: 00007FFD348DE7A6

Memory Dump Source

Source File: 00000006.00000002.2450426790.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348c0000_ScreenConnect.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 9f42b673c67b515347828704ed65b36e3d74a6c6398f6191aad94b89c78419b3
Instruction ID: b2334b450fa30f90890123bd3f27371491f52e42a82aa126bd7b654d42c51fcc
Opcode Fuzzy Hash: 9f42b673c67b515347828704ed65b36e3d74a6c6398f6191aad94b89c78419b3
Instruction Fuzzy Hash: 5231C77191CB588FDB18DF9CD8466FD77E1EBA9721F00422FE049D3251DB75A8068B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348C3AB4 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD348C83D2

Memory Dump Source

Source File: 00000006.00000002.2450426790.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348c0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: d23f56fe9fc410221cf993f78b185aceaf9a76a3de6884f8768716be66cdcd3a
Instruction ID: 8fa9d54d5c57b1a3e8ce5e85e8ea7cbe04e1ea6141c107afed0dcfc338dfb307
Opcode Fuzzy Hash: d23f56fe9fc410221cf993f78b185aceaf9a76a3de6884f8768716be66cdcd3a
Instruction Fuzzy Hash: D321C531918B188FD728AF9DD84A6F9B7E4EB69711F00412FE049D3251DB74B846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348C3A04 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FFD348DE9BC

Memory Dump Source

Source File: 00000006.00000002.2450426790.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd348c0000_ScreenConnect.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3dcc619139fde4711767ee617d3d415acf0a003811f00d0eff1aa02d902c4922
Instruction ID: 114278a874c62af7741c846e019c22d18ad4862620452439c843911bedfefb3f
Opcode Fuzzy Hash: 3dcc619139fde4711767ee617d3d415acf0a003811f00d0eff1aa02d902c4922
Instruction Fuzzy Hash: 9821B071A08A1C9FEB58DB98D449BF9B7F0EFA5321F00422ED049D3291DB75A856CB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ScreenConnect.ClientService.exePID: 5112, Parent PID: 528COMMON

Executed Functions

Function 00B933F0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

#), xrefs: 00B9355E

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #)
API String ID: 0-405437329
Opcode ID: ec9646e5f3cd1fc13df5c99b1810b6a5759d7476dab8e78a11e9d12739bd271f
Instruction ID: 127f3f88670a5eb3fb2f180f0575fb3221a0a179971432e9536fcb5468a8030e
Opcode Fuzzy Hash: ec9646e5f3cd1fc13df5c99b1810b6a5759d7476dab8e78a11e9d12739bd271f
Instruction Fuzzy Hash: 7631E4317006129FCB01AB7CA8A59BE77E2FFCA750304897AD505DB355EE209D0A8785

Uniqueness

Uniqueness Score: -1.00%

Function 00B93448 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#), xrefs: 00B9355E

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID: #)
API String ID: 0-405437329
Opcode ID: 7de734e77de7885ac65631425ce1b6703cedf9a6a49417fa0067fb2c29fc8a3c
Instruction ID: b47d72f500d1a2d7b57760d9690d268ac70433c03e82bee457fabbb13ba1d3cb
Opcode Fuzzy Hash: 7de734e77de7885ac65631425ce1b6703cedf9a6a49417fa0067fb2c29fc8a3c
Instruction Fuzzy Hash: FA31C5307006015BCB11AB7CA8959BE7BE2FBCA7503008A7DE515D7355EE70AD0A8786

Uniqueness

Uniqueness Score: -1.00%

Function 00B92075 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57527fe5bda61322eed5e6b31462f473893e86b7d7c8723e43978b891499adf0
Instruction ID: adf09ff8876dca3684d3f896918d58f9ce510f074235b449fccdbdfe5d4e0ee2
Opcode Fuzzy Hash: 57527fe5bda61322eed5e6b31462f473893e86b7d7c8723e43978b891499adf0
Instruction Fuzzy Hash: 68519C30B042059FDB15EB38D854AAE7BF2EF89310B1485B9D506DB3A1EE75DC06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B96BC8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be406eb611da1ac66a7331a449b81d295842cd5a2cb446865bf82bc5f88bb63f
Instruction ID: cddd083967cd49b4efde828954a491f6d49274e5e4ab988f47178dfad60b2fb2
Opcode Fuzzy Hash: be406eb611da1ac66a7331a449b81d295842cd5a2cb446865bf82bc5f88bb63f
Instruction Fuzzy Hash: 2151F130B042149FDB289B34E854BAEBBF2FF84700F2485B9E456DB295DB709C85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B94C88 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487196498aeb981d399b9a5c9d09a4cab0ec4de5f7488a38041ec8e8f7572b41
Instruction ID: d3cb3f45fb235ea76984f2695c8f58a5fec0fa11d0274bb232062c490e7c7d26
Opcode Fuzzy Hash: 487196498aeb981d399b9a5c9d09a4cab0ec4de5f7488a38041ec8e8f7572b41
Instruction Fuzzy Hash: 56618330A00245CFDB04DF78C48479ABBF2AF89310F2486A5D515AF396DB75ED86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B94C77 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435ee9249769d5e6b22cc9cc3beb93e84fdc70383f68643a93492fe9f287c2a9
Instruction ID: 649855007e3caaa52cd832a5d2cfa959c6e404a9415d84fa544843d94ef241a6
Opcode Fuzzy Hash: 435ee9249769d5e6b22cc9cc3beb93e84fdc70383f68643a93492fe9f287c2a9
Instruction Fuzzy Hash: 3861B130A00245CFDB05DF78C48479EBBF2AF85310F2486A9D505AF396DBB59D86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B96FF0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0455747b1f410b2633689e6c4e5f2348b5e59517e1315ffdef9449d188dbc642
Instruction ID: 07cef0425e9b3320930630131bc2b3c278bbe0598d80a051174302c8d0d5f1c2
Opcode Fuzzy Hash: 0455747b1f410b2633689e6c4e5f2348b5e59517e1315ffdef9449d188dbc642
Instruction Fuzzy Hash: C6516E30D102099FDB41EFB8D854BDDBBB1FF89304F108569E105BB261EB31A94ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B94920 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d93b3b1846e9ac77f687c41016ff1b97bebf911ef9320720f5b9f764f922d1
Instruction ID: 917386d96dbe92949400e2399d1434898bd0c204ac837225cf60cf6b89083f9e
Opcode Fuzzy Hash: 71d93b3b1846e9ac77f687c41016ff1b97bebf911ef9320720f5b9f764f922d1
Instruction Fuzzy Hash: B051FC34600A01CFCB24CF29D894A56B7F2FF8D325B248A6CD5969B7A4D731E846CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B96FE0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1e0dafe49ac02ad92a4d642fc4197526634e342804cba30f15ab3592271838
Instruction ID: 8dac2422d4160fdb54f9cf65c509d96c81453d68e1485408df677bfdf9e2f9b3
Opcode Fuzzy Hash: 2b1e0dafe49ac02ad92a4d642fc4197526634e342804cba30f15ab3592271838
Instruction Fuzzy Hash: BD513B30E102099FDB40EFB8D854BDDBBB2FF89300F108529E105BB295EB716989CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B942D0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b94ea764cf18e3daf117a18ddbf98f76db8af4ca127905dff7435e841b1d92
Instruction ID: 113d05386835204fdbcfac3805ff509cfceab4576819d55c00522c536a9b55e6
Opcode Fuzzy Hash: e7b94ea764cf18e3daf117a18ddbf98f76db8af4ca127905dff7435e841b1d92
Instruction Fuzzy Hash: 09418B31B00205CBDF14EF68E494AAEBBA2EFC8310B14C1A9D9199B355DF71A906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B93640 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a5355acdd22a7ccd69005ae0f9e2455a1e48ddee5e6d1bb22869e68649213d
Instruction ID: ce6c93583fbac93d56365444de2ae4b3389ebd440374ce728063c98ba0b58806
Opcode Fuzzy Hash: 27a5355acdd22a7ccd69005ae0f9e2455a1e48ddee5e6d1bb22869e68649213d
Instruction Fuzzy Hash: C8413BB47007058FCB20DF69D848AAAB7F1FF88711B148A68D456DB7A0D730EE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B937E1 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a63da37ad256fc8e9bd9c980e4366c6d3dd02cc41cfc7c8c46df3bc51a8732
Instruction ID: c37b91e34cfa83dd14f627dae78ccd050db9e5e1ef7f7b43161f5511b2572cc6
Opcode Fuzzy Hash: 62a63da37ad256fc8e9bd9c980e4366c6d3dd02cc41cfc7c8c46df3bc51a8732
Instruction Fuzzy Hash: F0410430B042458FCB059B68D4A59AEBFF1EFC6720B1941F9E9099B352DB308D06C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B95DEA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53cdcbf623481c1c8cd1946d8191a165c6b096ca2a2ef4e0c002c3584a933f4
Instruction ID: eded1340f8a6aeac04230ae48b416c2383a52f8f68fbca9887cbd31f0912d91d
Opcode Fuzzy Hash: c53cdcbf623481c1c8cd1946d8191a165c6b096ca2a2ef4e0c002c3584a933f4
Instruction Fuzzy Hash: A74148307106048FCB15DB79D868AAEBBF2BF89710B1585ADE406DB3A1DF719D05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B93630 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d163870c136300a9d227a01a0329cd3650f4fd48faa3f6068c341bb87650983
Instruction ID: 9060074b29149abc5d4991dc996b9987def3e9a94b172ccc9107df4ba465a486
Opcode Fuzzy Hash: 3d163870c136300a9d227a01a0329cd3650f4fd48faa3f6068c341bb87650983
Instruction Fuzzy Hash: 73413BB07007058FCB24DF69D848AAAB7F1FF88711B148A69D456DB7A1E730EE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B93D98 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a505237059f28420d18cce75d7a42ecc473a7f26176c93d17a2211e7c47575dd
Instruction ID: 58fcf99080ef68a47d5f02c39804780960c9c7cc24b039e4b01495970c708b38
Opcode Fuzzy Hash: a505237059f28420d18cce75d7a42ecc473a7f26176c93d17a2211e7c47575dd
Instruction Fuzzy Hash: 1B317C30B106058BCB14DF69C464AAFFBF6EF8A754F1484B9D506E7294DB709D048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B950A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b0134547cf22245bd97a927d4716e91afd3acd2a633e29fa17e6cfeea9c8b7
Instruction ID: da5a8cdc0921e8a1733c457f3d9db7b8169bb1e95e34a8df171c11bc822dac69
Opcode Fuzzy Hash: 78b0134547cf22245bd97a927d4716e91afd3acd2a633e29fa17e6cfeea9c8b7
Instruction Fuzzy Hash: 402196317002045BD701DB78E855ABEBBA2EBC9250F048A29E505DB391DF706D0587D5

Uniqueness

Uniqueness Score: -1.00%

Function 00B91810 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdb3ab7d53a119a871b56a7ce01f1e86d337a348fd893ca3a8f1bfb82407db2
Instruction ID: 9daf8ba4d05db054ae7112ea01ec83109b4edfb0a645fa3d3a17df6fca058436
Opcode Fuzzy Hash: 9cdb3ab7d53a119a871b56a7ce01f1e86d337a348fd893ca3a8f1bfb82407db2
Instruction Fuzzy Hash: F6112731A1E342DFDB525BB8747A5EA7FF5FE17310700CCEDC29A46211E5284806D655

Uniqueness

Uniqueness Score: -1.00%

Function 00B94B50 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6e659e1ac4fb195fe5892b1119b67962a7c01cd46ea57a24574e87c131c127
Instruction ID: 547a284b98ead8890c8d3f6cbd67639440ab7154189c1f367c48ae08a6c0bf9d
Opcode Fuzzy Hash: 0e6e659e1ac4fb195fe5892b1119b67962a7c01cd46ea57a24574e87c131c127
Instruction Fuzzy Hash: 79213E30600605CFCB34DF69D854A9AB7F1EF88320B108A6DD496976A1DB71E94ADF80

Uniqueness

Uniqueness Score: -1.00%

Function 00B950B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d92f45629345f799a315c01d80526798e2448548ed59555ce68991ad9e1df72
Instruction ID: a0bfefa0ecc35c11e6439c493d3703f85d301a969c3e60878439bc4907cfadff
Opcode Fuzzy Hash: 6d92f45629345f799a315c01d80526798e2448548ed59555ce68991ad9e1df72
Instruction Fuzzy Hash: 9C117F317002049BD700EB78E855ABEB7A2EBC9750F008A29E605DB340DF70AD0587D5

Uniqueness

Uniqueness Score: -1.00%

Function 00B94F20 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c60e270b29ec0714c261590bd0e5da721a057a2c76569f31e4a384d0624476
Instruction ID: 5653abded6c2c6dd2ae140f81e0fbd23c09f42bf9fc88b03267b577ac0d860e0
Opcode Fuzzy Hash: 73c60e270b29ec0714c261590bd0e5da721a057a2c76569f31e4a384d0624476
Instruction Fuzzy Hash: 331160319002499FCB01DFA8D8818DEBBF1FF4A304B14855ADA48FB261D771AA1ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B95015 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c46ac6d97f6c4324f99946212a2c9870cb27255f782edbadde3fc2dc36c060
Instruction ID: 3d7ffe2073fc5b3434b254481572755252fd6c0cdae81161064935aecb83c7db
Opcode Fuzzy Hash: 38c46ac6d97f6c4324f99946212a2c9870cb27255f782edbadde3fc2dc36c060
Instruction Fuzzy Hash: 41115B3190004DCFCF11DFA8D8809DDBBF2FF85304B54C5A4E145AB125DB32A946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B97D80 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540075c5382bed0006f41f13c3689b54971e04740baa720967c3858ee4e4ae35
Instruction ID: 50a8d769a26d6d9ce1db12cd30ddaa1c44bd570146e5214743e66bdcc4b25c20
Opcode Fuzzy Hash: 540075c5382bed0006f41f13c3689b54971e04740baa720967c3858ee4e4ae35
Instruction Fuzzy Hash: 0C0126B264C2805FCB118768BC901D9FFE4DF93231F5801FAD2D486083C225545BC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B97DD9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d35b1e5cede5ee5dbc2870f32dcd6086245c26666542198afb7aa676caa3ed4
Instruction ID: 2980f4f341144938c61cd7c89133e068effde1f4b543882bb4d048e2da7f4c75
Opcode Fuzzy Hash: 4d35b1e5cede5ee5dbc2870f32dcd6086245c26666542198afb7aa676caa3ed4
Instruction Fuzzy Hash: 3401D87260D2905FD755CB38E8546DB7FD99FE6220F0984BEE58CC3281E93598068361

Uniqueness

Uniqueness Score: -1.00%

Function 00B94F30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480602345a0af0258b2611428d9159feebb328d985620b5beb43629bee9467db
Instruction ID: 2e031864e039a5a378e283a2e6909d9d21c3b9f4d841afb882dd3cd8932090e0
Opcode Fuzzy Hash: 480602345a0af0258b2611428d9159feebb328d985620b5beb43629bee9467db
Instruction Fuzzy Hash: 7A110035A00209DFCF00DFA8D9409DEBBF5FF49314B108569EA09FB261D771AA1ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B91820 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381fa80bb29bf3b96b2903a31867b5e7e5b008234b27cf77e4988823e63d56d6
Instruction ID: 525cd7f4757f4a10ff635315ebdf1d0fbaf40d04d89957e477ebf9c494b429ab
Opcode Fuzzy Hash: 381fa80bb29bf3b96b2903a31867b5e7e5b008234b27cf77e4988823e63d56d6
Instruction Fuzzy Hash: DC01A230708244CFCB159B7898588693FF9EF4621131584EAE44ACB273DB35DC07E755

Uniqueness

Uniqueness Score: -1.00%

Function 008FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443378664.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8fd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1633db34dcdbc0b78662ac4bf73304e57cd06dd53b9369b2f7898389f12ff19
Instruction ID: 6c0cf2649144be8aac31e26696faebeb9662c9d5875f6d131d37ccfa8b8424c1
Opcode Fuzzy Hash: d1633db34dcdbc0b78662ac4bf73304e57cd06dd53b9369b2f7898389f12ff19
Instruction Fuzzy Hash: 4101D831004748EAE7104B35C880B76FBD9FB81324F14C119DF484B242C6799845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B94FB0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c2aad2cb25f56a240d5c93c100fe9a02c337fac2b1aea6cafe896cddaaf30c
Instruction ID: 55744006b765bb1e02c46ee6a9f4b161506e8f3fabf15c2d7afa901ed09f0de2
Opcode Fuzzy Hash: 81c2aad2cb25f56a240d5c93c100fe9a02c337fac2b1aea6cafe896cddaaf30c
Instruction Fuzzy Hash: DB016932D001599FCF04DFA9D8448DDFBB2FF89310B04866AD559BB290DB31691ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B90808 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3956bffe1723ad0cb0460278610308bc112404490872f08cdc4fd736820dad79
Instruction ID: b854fc99fbde1cf833e25d78bad865bea478ea3d420b15db600d1663213c69b8
Opcode Fuzzy Hash: 3956bffe1723ad0cb0460278610308bc112404490872f08cdc4fd736820dad79
Instruction Fuzzy Hash: 6D01B16180E3E49FCB03EB7CA875699BFB09F93214F0901EFC085CB1A3E6140909D762

Uniqueness

Uniqueness Score: -1.00%

Function 00B90E98 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02d23f22e1f6e764fada5edc975da3412c26fa6dc41ac4fcd96932f3edbaf38
Instruction ID: 0d88a8d209a78f21b6ec839d0348223767bf33a9deb5576673bb6de0e90e65b8
Opcode Fuzzy Hash: a02d23f22e1f6e764fada5edc975da3412c26fa6dc41ac4fcd96932f3edbaf38
Instruction Fuzzy Hash: FD0144323187408FCF23A63CA8209AB3BF1EAC734030585BFC185D7696EA24980A9791

Uniqueness

Uniqueness Score: -1.00%

Function 00B97DE8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7e3341feb83539b128d673c5accfe9b706985a8d65f73eca9e740427ecbde1
Instruction ID: 165f95ef5cef24f2857e9a29374c65512e799ea0309e1cea53b3fde991b19790
Opcode Fuzzy Hash: ae7e3341feb83539b128d673c5accfe9b706985a8d65f73eca9e740427ecbde1
Instruction Fuzzy Hash: 6AF08C37B0D2445FDB28CABAA401A9BBBDECBD4220B14C4BFE94DC3740E831A8018764

Uniqueness

Uniqueness Score: -1.00%

Function 008FD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443378664.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8fd000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f57d0041b61082e429b53e707733b19761d5695bc482161416a2eaa34457d85
Instruction ID: 5fd3c443e39b4c05a1951973b7bcf0adab4e312056c991232eb82cdeb44158d4
Opcode Fuzzy Hash: 7f57d0041b61082e429b53e707733b19761d5695bc482161416a2eaa34457d85
Instruction Fuzzy Hash: 81F04F71405744AAE7208A15C884B62FBD8EB91724F28C55AEE484E286C3799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00B91351 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed870da6bf5b167a6446f94dcb5abee563e50826df0a9e337ae87009b6ad28c
Instruction ID: ae2ffe2274a8d33fa1157b6d3758361674279ba7b690cf99c4349b5a32bbdc2e
Opcode Fuzzy Hash: 4ed870da6bf5b167a6446f94dcb5abee563e50826df0a9e337ae87009b6ad28c
Instruction Fuzzy Hash: D8F03C30A0924AEFCF05EFB8D450AADBFF1EB45310F1086E9C405A7A52E7305E84EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B96B70 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ac4c6a20c138c7f25ea0b332c478af95d85712a6fdcb5988bf199aa47fb390
Instruction ID: eb115dc3e51f4b3a23cf7a1972212153c4030819b0fbcb1162a62f62695ae544
Opcode Fuzzy Hash: a6ac4c6a20c138c7f25ea0b332c478af95d85712a6fdcb5988bf199aa47fb390
Instruction Fuzzy Hash: 14F0A7717042901FC7251F7D68984AE7FE6EBCA72070445BAE585C3341CF3A4C178351

Uniqueness

Uniqueness Score: -1.00%

Function 00B9140C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd5ef79f9f4d65ec3a98da311d0477b2490a8210ae258a1c7fece06872e4640
Instruction ID: 2ce92ad6eda8f2232d71e42a755a5f6cb1eadbc6546a15fa43e685b444178deb
Opcode Fuzzy Hash: 3bd5ef79f9f4d65ec3a98da311d0477b2490a8210ae258a1c7fece06872e4640
Instruction Fuzzy Hash: F0F0B42210D3D24FD713937CB8616ED7FF0EEA33107484ADFD1818B6A6D654A50AD361

Uniqueness

Uniqueness Score: -1.00%

Function 00B91360 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb833b5f033eb0f6b982cec5ec4cb628c0c1acea7f175cf631717ab02bd35b6b
Instruction ID: 576863e20a47df982cf41d2b764a602dcf9b16f6fcff2cabbe621c5737fcb00d
Opcode Fuzzy Hash: cb833b5f033eb0f6b982cec5ec4cb628c0c1acea7f175cf631717ab02bd35b6b
Instruction Fuzzy Hash: 35F0E730A04209EFCF40EFA8D4949ACBBF1EB44310F1085A9C505A7A51EB306E84EB85

Uniqueness

Uniqueness Score: -1.00%

Function 00B90EA8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18aae6bfaa1fc9758022fa152b63bdbaff6627f37c17690eb9121245faf4ca4f
Instruction ID: afac1bfec010f5127459b1a43edb8da3b0afd0e943741b2db8d18c74bd6eb89f
Opcode Fuzzy Hash: 18aae6bfaa1fc9758022fa152b63bdbaff6627f37c17690eb9121245faf4ca4f
Instruction Fuzzy Hash: 90F037353106158FCB52B62DE41095B37E9EAC5750340453DD155D7354FF209C0557D1

Uniqueness

Uniqueness Score: -1.00%

Function 00B91D80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0751fbc207ac75a1f163bdfb651d6626cdaa5b5c57cf96884d813fb65937b36
Instruction ID: 370e2e8531b2603783cb0f969358775b4548bedf144bb6d19514dfb6e5ef5ebf
Opcode Fuzzy Hash: d0751fbc207ac75a1f163bdfb651d6626cdaa5b5c57cf96884d813fb65937b36
Instruction Fuzzy Hash: CEE0E5323192805FC3015B3CA81C4AE7FA2AFD7251314826BE807C73E1CE708C06C755

Uniqueness

Uniqueness Score: -1.00%

Function 00B96B80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1909f7e6d758e6c0123cc713c1567a84244831046359e34e6985dd9651a46a
Instruction ID: 0aa6c719944ce2fc898f04fb0afbb219e287395e50677093052ca6c7db271720
Opcode Fuzzy Hash: 3e1909f7e6d758e6c0123cc713c1567a84244831046359e34e6985dd9651a46a
Instruction Fuzzy Hash: B2E0DF317002105BCB142EAE688C42ABBCAEBC9B61700403EE60AC3340DF758C094394

Uniqueness

Uniqueness Score: -1.00%

Function 00B913C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1434286b03858d6fc99b270115b3009df4002fa314bbc58becb91c2e6fe439b
Instruction ID: d0d05e787e24479feb8287c480121950fe7e161d6acdcaf328f604a0bd2b9c0e
Opcode Fuzzy Hash: b1434286b03858d6fc99b270115b3009df4002fa314bbc58becb91c2e6fe439b
Instruction Fuzzy Hash: 4DE0922110C3814FC312D73CB8506DD7FA1AF863107444A9ED1808B556CA54694A83A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B91D90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dbfe4e00a25f34b4810228e45adc72ce81a3f1224ef03f8670730d1b36947c
Instruction ID: 316618b44a2c53d1d2a789f65c0cea21f981ac9b0df55b24090918ce1e7aab36
Opcode Fuzzy Hash: b2dbfe4e00a25f34b4810228e45adc72ce81a3f1224ef03f8670730d1b36947c
Instruction Fuzzy Hash: 9EE0E6757151145FC2046B7DE81C46E7BDAEFC9662314862BF916C73D0CF709C019799

Uniqueness

Uniqueness Score: -1.00%

Function 00B9130A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08397fc6cacdf72e3de6753c81439c7cf4e7b13c55020c847c00012efb1cd19
Instruction ID: 6c6486f5622fecaa421a44b30cb51f562dd847ff41734bb2b8ea778c9ad1d1e7
Opcode Fuzzy Hash: f08397fc6cacdf72e3de6753c81439c7cf4e7b13c55020c847c00012efb1cd19
Instruction Fuzzy Hash: 74E04FB0C082855FCB80DBB888525AEBFF0AE4A210B2486EDC80DE7A02D6368503CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B91DD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d79ed6bd13bffbb4677dab4edd3a52d50bc1bc1fe816ad36d6c5210d4d08f77
Instruction ID: e33929ed13daf2aa40409fceb92f63795a9615bf76b50cee47e863a63c7926db
Opcode Fuzzy Hash: 0d79ed6bd13bffbb4677dab4edd3a52d50bc1bc1fe816ad36d6c5210d4d08f77
Instruction Fuzzy Hash: 37E09230905288EFCB41CF78A8518FDBF71EF8220471401D9D049D3142E6311F199B55

Uniqueness

Uniqueness Score: -1.00%

Function 00B97EF8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dd04ca795ceec3b12a6925762db89fce61c6a2b37697aa68e40f5a89389622
Instruction ID: 8a503b81abe524ffab364d1750828449186df9c50cab6b4875330af6860407b9
Opcode Fuzzy Hash: 00dd04ca795ceec3b12a6925762db89fce61c6a2b37697aa68e40f5a89389622
Instruction Fuzzy Hash: 30E04F1104C3C24ECB179734A8655DA7FB24B53224B0A8AD9D0D40F4F3C624468ED791

Uniqueness

Uniqueness Score: -1.00%

Function 00B90848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd36a4db5731c827e0e50e798fc8c1364c6f00e624fb8f032708c39a1114061
Instruction ID: 520f41ea6370117a743b528379f19dcca76471e4db38d8346e3d9aab14fd5bbd
Opcode Fuzzy Hash: 4cd36a4db5731c827e0e50e798fc8c1364c6f00e624fb8f032708c39a1114061
Instruction Fuzzy Hash: 0FD0123090420DEFCB40DFB8E90199DB7B9EB85250B1045A99508D3251EA316F009B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B91DE8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2c0b4328afe3bf6bc72cb425be44193d1dba83e36dae4ee33cb3c3681613ca
Instruction ID: 9a8da6453c00c77cd8ab429b28f55e8b8cde6b6d55575ca2f838186e83ec5041
Opcode Fuzzy Hash: 6d2c0b4328afe3bf6bc72cb425be44193d1dba83e36dae4ee33cb3c3681613ca
Instruction Fuzzy Hash: 34D05B7090110CEFCB80DFBCE9059BDB7F5FB85300B1045A9D509D3240EA712F049B85

Uniqueness

Uniqueness Score: -1.00%

Function 00B97ACF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2443945368.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b90000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41ec1c9523559a8d154b8a4c8932e3391c33c037016c9297adc206551327197
Instruction ID: 4876306ef9931dfbbb9baca05ed006df84f1629f14c0eca85ab505f1612d18ac
Opcode Fuzzy Hash: d41ec1c9523559a8d154b8a4c8932e3391c33c037016c9297adc206551327197
Instruction Fuzzy Hash: C1D0A9663042400BC35ACA28C8A0594FB929FEB610B1980AEC4C8C73E2CA22CC07C340

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ScreenConnect.ClientService.exePID: 5964, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.1%
Total number of Nodes:	54
Total number of Limit Nodes:	2

Executed Functions

Function 04A6B510 Relevance: 1.6, APIs: 1, Instructions: 93
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 04A6B5DF

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 6d11548c16d668b8ad2ed6c2312119d55def78a9f0efa19e9abc855d6a4c72d3
Instruction ID: 6c47b2d34bc99083d5af06ebc35d18d8aa5394f77c61fc8d52ba564201a901dc
Opcode Fuzzy Hash: 6d11548c16d668b8ad2ed6c2312119d55def78a9f0efa19e9abc855d6a4c72d3
Instruction Fuzzy Hash: 14413572900219EFDF10CFA9C884ADEBBF6FF48310F15842AE919A7250D735A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A6C600 Relevance: 1.6, APIs: 1, Instructions: 69
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 04A6C69C

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 398dbfe13250a3b3b1aaf4c777e4b2c87b50a072701a870d13f7f692abf49dda
Instruction ID: 8ea025067f90d9dd36dacaca0cad8fed376fef829a431a6cd03a9dff4c7675c1
Opcode Fuzzy Hash: 398dbfe13250a3b3b1aaf4c777e4b2c87b50a072701a870d13f7f692abf49dda
Instruction Fuzzy Hash: D63114B5800249EFCB10CF9AD888A8EBFF5BF48310F14C06AE919AB221D375A455CF51

Uniqueness

Uniqueness Score: -1.00%

Function 011B4C5D Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3, xrefs: 011B4D1B
`, xrefs: 011B4CA1

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 3$`
API String ID: 0-1698038309
Opcode ID: 3dfe0e17323ee76e25bbee243864083a1984e2b8a861cf3ffd238813153cc798
Instruction ID: 654f548848d74192161c5a60b125367051ef3c85f601b228f05b281842686726
Opcode Fuzzy Hash: 3dfe0e17323ee76e25bbee243864083a1984e2b8a861cf3ffd238813153cc798
Instruction Fuzzy Hash: 5A511271909399DFDB168F68C8587EDBFB5AF56300F0480EAC5089B692DB344E49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04A6F9AD Relevance: 1.6, APIs: 1, Instructions: 125
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 04A6FAD5

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e17663bcd8d1dbf15ed4d3e8ce6799ad0e3a6efff23fc49171d030089e838fd
Instruction ID: 37866b54d07df064dc00535e9ad7315e0e3bd40b935e02ff9ad0d0f1948ef93a
Opcode Fuzzy Hash: 7e17663bcd8d1dbf15ed4d3e8ce6799ad0e3a6efff23fc49171d030089e838fd
Instruction Fuzzy Hash: 975167B1D00249DFDB10CFA9D984BDEBBF1FB48304F248129E809AB251D7799945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04A6F9B8 Relevance: 1.6, APIs: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 04A6FAD5

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79adb4559551f396b696c03fc86e27e21a277cce6e5a6a1d3514da5a71d3f4c1
Instruction ID: b694f766da8bb71f900ee22aaa89105692660943c32b9b4c2ba63f7aa960700a
Opcode Fuzzy Hash: 79adb4559551f396b696c03fc86e27e21a277cce6e5a6a1d3514da5a71d3f4c1
Instruction Fuzzy Hash: 9B4154B1D00249DFDB10CFA9D984B9EBBF5FB48704F248029E809AB391D779A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04A6B508 Relevance: 1.6, APIs: 1, Instructions: 93
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 04A6B5DF

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 588587161c88319c6922379f575c0ba87f79ea449437f4354c5b9209f3ffea3f
Instruction ID: 10cf5143bff4da8e8fa413aeec342c8f4593709e91621fcca50357fc8588ca77
Opcode Fuzzy Hash: 588587161c88319c6922379f575c0ba87f79ea449437f4354c5b9209f3ffea3f
Instruction Fuzzy Hash: AD414676900259DFCF10CFA9C884ADEBBF2FF48310F14842AE919A7250D334AA55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A6C5F9 Relevance: 1.6, APIs: 1, Instructions: 69
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 04A6C69C

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 1ec3e404fdaac6e03d1eba57de7320aa3878dabdb131ce05cefd7d18aa833ce7
Instruction ID: a013296e4f83a263a9372b6bd22761f9206f51aad77858af2b685bc7b1f7375d
Opcode Fuzzy Hash: 1ec3e404fdaac6e03d1eba57de7320aa3878dabdb131ce05cefd7d18aa833ce7
Instruction Fuzzy Hash: 643125B5800249EFCB10CF9AD988ACEBFF1BF48324F14C06AE919AB221C375A555CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A6CC2A Relevance: 1.6, APIs: 1, Instructions: 67
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNEL32(00000000), ref: 04A6CCA8

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: 416aeb82fd32edae27caa430f9cd80b8dd00e2a674669a61ddae66d0b1086b29
Instruction ID: f6798642c0ccd7338e145d8b5120602b1f44cd1e785e96789a55214869433d6d
Opcode Fuzzy Hash: 416aeb82fd32edae27caa430f9cd80b8dd00e2a674669a61ddae66d0b1086b29
Instruction Fuzzy Hash: 3A21F2B0D00258DFDB14CFA9D584B9EBBF1AF48710F24805AE85AAB340D774A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A6CC30 Relevance: 1.6, APIs: 1, Instructions: 65
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConnectNamedPipe.KERNEL32(00000000), ref: 04A6CCA8

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: 50458f703e2bc9bfdbd75c4af9250f2a08304fc73f848bdabe10f7de46a746f0
Instruction ID: 3b2c71a52c9987508fcd34d2f81dd90155f3999320ad83ee64efe33b6b6115ff
Opcode Fuzzy Hash: 50458f703e2bc9bfdbd75c4af9250f2a08304fc73f848bdabe10f7de46a746f0
Instruction Fuzzy Hash: F52104B0D00258DFCB14CFAAD484B9EBBF5BF48710F148069E859AB340D774A805CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A6D010 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,04A6CFD6), ref: 04A6D07F

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID:
API String ID: 3146367894-0
Opcode ID: d9b222e9a98cb2e7ec198680fd782d7128493b7e6ec2f266c578c25c11a4cffa
Instruction ID: 3a2e693d2eaf4ec05da707281d232aee2d42844c0d1e9f519f04f942a2004c0d
Opcode Fuzzy Hash: d9b222e9a98cb2e7ec198680fd782d7128493b7e6ec2f266c578c25c11a4cffa
Instruction Fuzzy Hash: CD2115B6800249CFDB10CF9AD484AEEBBB4EB88320F15841ED459A7641C339A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A6B184 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON

Download Yara Rule

APIs

WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,04A6CFD6), ref: 04A6D07F

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: NamedPipeWait
String ID:
API String ID: 3146367894-0
Opcode ID: ba7a90bde8bd2199b75ec20efbac1c09184a20f6cbeb9e0ba5b219713568cd59
Instruction ID: 9bdb222df85ce33f73eb095202c0fb6209a55dfe6ee5c2afcd616b4f2ef61c3e
Opcode Fuzzy Hash: ba7a90bde8bd2199b75ec20efbac1c09184a20f6cbeb9e0ba5b219713568cd59
Instruction Fuzzy Hash: 6B2127B59003499FDB10CF9AD484BEEBBF4EB49310F11842DD45AA7241D379A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A6CD3A Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 04A6CD95

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d6b08e86272f65f0ec0157b55c44982f523d60316fefb4df8af8081cca950701
Instruction ID: 2abeee452d9203bc4d78f81e21296658437aad32510ba064f0396f113e0441e0
Opcode Fuzzy Hash: d6b08e86272f65f0ec0157b55c44982f523d60316fefb4df8af8081cca950701
Instruction Fuzzy Hash: E51163B5800249DFDB10CF9AC585BEEBBF4EF48324F20841AD568A7341D338AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A6CD40 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 04A6CD95

Memory Dump Source

Source File: 00000008.00000002.3363987527.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4a60000_ScreenConnect.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 267634fe1a6cb73986d50cdbb9dd4c75e9ab2be424898167dc51c6cf03c57ef4
Instruction ID: 8ed441df8591e9b1754db178862291dfb3c1f244c1daed7ac3d56c466dca7938
Opcode Fuzzy Hash: 267634fe1a6cb73986d50cdbb9dd4c75e9ab2be424898167dc51c6cf03c57ef4
Instruction Fuzzy Hash: F41122B5800249DFDB10CF9AC485BEEBBF4EB48324F20845AD568A7341D339A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011B6EBB Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

(, xrefs: 011B6FEE

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: fd725aaece90821a9228a293601e409e8aa85ca8e29be175fe62eeb22e496d9a
Instruction ID: 9fae06be8295c04f721fcf222efe81510f1941c4bf2d3d2f464dd9c749a3da7e
Opcode Fuzzy Hash: fd725aaece90821a9228a293601e409e8aa85ca8e29be175fe62eeb22e496d9a
Instruction Fuzzy Hash: 8D41CE72B003168F871AEB7CD8A16AE7BE6EBC9340304852DD519DB345EB34AD08CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 011B6ED8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

(, xrefs: 011B6FEE

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: 26f6d481b73c8e37058efcfac7fd4c40d7710e5f05861bd032547396857c7f5d
Instruction ID: 220504432ff14544f6ce2fcd0b282fd73dd623a9e8aa936beb7436a1976b3f67
Opcode Fuzzy Hash: 26f6d481b73c8e37058efcfac7fd4c40d7710e5f05861bd032547396857c7f5d
Instruction Fuzzy Hash: A231BF71B003128F871AEB7CA8A16AE7BE6EBC9350305C92DD119DB345EB34AD04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B6EE8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(, xrefs: 011B6FEE

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-1334834377
Opcode ID: f3e913954b4cd59e0253b7e3d4c8ceda989a4cf2620d12b0529db5912e73d9d7
Instruction ID: 3dd1c591eede341c90273a0c18d61ea27af61e434fa67c62c8ac84dd1205baa8
Opcode Fuzzy Hash: f3e913954b4cd59e0253b7e3d4c8ceda989a4cf2620d12b0529db5912e73d9d7
Instruction Fuzzy Hash: 0331D271B003128B8719EB7CE8916AE7BE6EBC9350300C92DE519DB344EF34AD0487D0

Uniqueness

Uniqueness Score: -1.00%

Function 011BCC38 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cfd28cdff019f7fb7848cc2ed305d2363d86523cd02ec894d3db25e83321c7
Instruction ID: 008b89bdd6ada379e12fe605b4e72ec432d9888cea93961c3cb7221bd18541d7
Opcode Fuzzy Hash: f6cfd28cdff019f7fb7848cc2ed305d2363d86523cd02ec894d3db25e83321c7
Instruction Fuzzy Hash: 07A1E834B00209CFDB18DBA8C594AAEBBF5EF89300B1485A9E505EB365DB71ED05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011BC293 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dec35fc84181c96b5fdc97d8fe7d6a9300d662e4c83443143d7d9682c5c8c3
Instruction ID: 0aa11d4c3cbb35a31f684ce0116e5c678903ccdf689e592f51cb5b2ca587f4cc
Opcode Fuzzy Hash: c8dec35fc84181c96b5fdc97d8fe7d6a9300d662e4c83443143d7d9682c5c8c3
Instruction Fuzzy Hash: B0A16530E00319CFDB19DFA9C494BAEBBB2FF88304F118559D509AB365DB74A985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 011BEAF8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647b28d2e4e57742d13da16aed9061b59a3ab2e48883e09403dc7cad1122a03a
Instruction ID: 099a09e6a0ed62193f27483077c64d638028a475955755e43db5a558e2b1e4ef
Opcode Fuzzy Hash: 647b28d2e4e57742d13da16aed9061b59a3ab2e48883e09403dc7cad1122a03a
Instruction Fuzzy Hash: 20818132F012198BEB19EFB9C4907EE7BB6AFC8700F148529E506AB384DF349D458795

Uniqueness

Uniqueness Score: -1.00%

Function 011BCC28 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f5be3cb6e30da52e7909bf9014160b52d40d62c871eb16838a873651963052
Instruction ID: 554db656fbc9e8393e1c8d1bc9a83f0a2f39fcdd6b16c269c9074bbc9312afb3
Opcode Fuzzy Hash: 59f5be3cb6e30da52e7909bf9014160b52d40d62c871eb16838a873651963052
Instruction Fuzzy Hash: EAA1F934A00205CFDB08DFA8C594AAEBBF2EF89300B1485A9E505EB365DB71ED01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011B8CB0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f9dfd3901dd15721ed2b690cea005fe5b52a4728b236e2c91494b34d3f9725
Instruction ID: 75d46c309a324747d8f4de8f3c178d7f67dc6564ad63712f522a98255af92a9a
Opcode Fuzzy Hash: 47f9dfd3901dd15721ed2b690cea005fe5b52a4728b236e2c91494b34d3f9725
Instruction Fuzzy Hash: 16610634B10219DFDB18DF69D894AAEB7B6FF8D704B148168E506AB361DB30EC01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 011BA668 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097a85f9ad1bd34e99b1ffb2c26bf5e578b546eeec8b4798b392c1a5d6c8d75b
Instruction ID: 44780502633e14ad824356a1016fe4f7e56ca793dfe5dcd666fd3b87b13d540a
Opcode Fuzzy Hash: 097a85f9ad1bd34e99b1ffb2c26bf5e578b546eeec8b4798b392c1a5d6c8d75b
Instruction Fuzzy Hash: 84512370B002119FDB28DB68E8987AEBBF2BF85310F14856EE456DB395DB309C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BAA90 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12046334c38e448638182b5510a786be7f83a6d11c3ec2dd5370dfab9bfcb26
Instruction ID: bb525fd210dad296327f2b03b6c3b087ae29482df93b09424418c5970019b1d7
Opcode Fuzzy Hash: b12046334c38e448638182b5510a786be7f83a6d11c3ec2dd5370dfab9bfcb26
Instruction Fuzzy Hash: 5751AE70E00309DFDB01DFB8D894BD9BBB5FF8A300F148599E508AB252EB70A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B5E15 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f11fa089c3ed3e21b15a51285016122b5d4d2872d12de0a5dd2450f10da426
Instruction ID: 09187a1fece7182f8fa7a1bb8e1cba6f21c7034a680f954e37441db524d78f9f
Opcode Fuzzy Hash: b4f11fa089c3ed3e21b15a51285016122b5d4d2872d12de0a5dd2450f10da426
Instruction Fuzzy Hash: 0D51C3717002058FD75AEB39D994AAE7BF2AF89340B148469D406DB362EF71DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BC29D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bf7c3be6b03207b23ab2cdfca7c6c74fd233d52154566ebd3a823b5f272178
Instruction ID: f8217202a4edc8bc7d692ba32c049d798719306558c9dbdb22976f6706d352e6
Opcode Fuzzy Hash: 94bf7c3be6b03207b23ab2cdfca7c6c74fd233d52154566ebd3a823b5f272178
Instruction Fuzzy Hash: D1515030A00319CFDB19EFB4C494AADBBB1FF85304F118569D44AAB365EB75E985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 011B5DF8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fb6fd4f7598daf29c04e98b6fe582c920be3611a7dc3097d6c9035668e13a4
Instruction ID: d6c687d909bd0b75b4923e204337ef9b19a9d3733bb02715749a27e564220717
Opcode Fuzzy Hash: 49fb6fd4f7598daf29c04e98b6fe582c920be3611a7dc3097d6c9035668e13a4
Instruction Fuzzy Hash: D651AE307002158FDB59EB39D8A46AEBBF6AF88704B148469D50ACB361EF71DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B5E38 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627e914c7cbf5d3cc20d2b048e88a92d39e4fbf88687eb383f35f012b4f36d70
Instruction ID: a6952fdc3bb56f7ae95a14d5f10189fc81b182e63d216eb3a88f40d2c378e7f9
Opcode Fuzzy Hash: 627e914c7cbf5d3cc20d2b048e88a92d39e4fbf88687eb383f35f012b4f36d70
Instruction Fuzzy Hash: 81519F317002058FDB59EB39D994AAEB7F6EF88700B108468E50ADB361EF71EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B83B8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae56afbf1c44f7f49d5e791960fe88ce23de6cc90dba6b2c3b78f08a9cc6328
Instruction ID: 4d67220098e8ae0fba77f33853e2a45acd89795c2891b6ec25632cb35b689f03
Opcode Fuzzy Hash: 1ae56afbf1c44f7f49d5e791960fe88ce23de6cc90dba6b2c3b78f08a9cc6328
Instruction Fuzzy Hash: 31510C30200B05CFD728DF29D894A66B7F6FF8D724B144A6CD59A9B7A4DB31E802CB50

Uniqueness

Uniqueness Score: -1.00%

Function 011BAA82 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1de2c4779ead08da46bd8263f3751912307626410ee89ef1fa5c40280a71c85
Instruction ID: 4cde6bc554a478003a066d71659751260c69f1c372e1ca5addd7eb2350390244
Opcode Fuzzy Hash: d1de2c4779ead08da46bd8263f3751912307626410ee89ef1fa5c40280a71c85
Instruction Fuzzy Hash: 3A513870E40319DFDB01DFB8D894BD9BBB2FF89300F108659E508AB251EB70A995CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B7D68 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46675a1b0c4d4a421334bbf2903ab3268c0945420605defc7e8af7b61c521dd1
Instruction ID: b7548b67ec9364004c2e09045ee2dfe468e64df5b88491d7822a261202498bd4
Opcode Fuzzy Hash: 46675a1b0c4d4a421334bbf2903ab3268c0945420605defc7e8af7b61c521dd1
Instruction Fuzzy Hash: 8D41D331A00219CBDB19EF68E4946AEBBB6EFC4300F04C169D9059B385DF30AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BEAEF Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88a781d496cab828f878edf7de125387ce5ccf36a101ef48db4abf9c3f1d0d0
Instruction ID: ea46790336d487aed870031563a70599601b16b84fde0cce3c0c4268b5c16791
Opcode Fuzzy Hash: a88a781d496cab828f878edf7de125387ce5ccf36a101ef48db4abf9c3f1d0d0
Instruction Fuzzy Hash: E2415E71E0121ADBEB18DFA9C9C0BEEBBB5EF88700F148129E505B7344DB70A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B9881 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552258a3921e63e8594c3e6a8d195d7447ecf454a094e4b2139aa3ea50bdcba7
Instruction ID: 6e90beef3f639784b50bc9ec08fed53c53a7a8a9ad9256feb21319837875f1cb
Opcode Fuzzy Hash: 552258a3921e63e8594c3e6a8d195d7447ecf454a094e4b2139aa3ea50bdcba7
Instruction Fuzzy Hash: B24159306102098FC758EB79D894AAEBBF2BF89614B158568E506DB3A1EF709D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B7830 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd178a487ed10e27fd259fd3cad14adbb203ac4cc72b798ede15e0a58736653
Instruction ID: 176767b6b96a386fd9c195c0be1f9c15f32786e206f82c3dab89763b6af25756
Opcode Fuzzy Hash: 7cd178a487ed10e27fd259fd3cad14adbb203ac4cc72b798ede15e0a58736653
Instruction Fuzzy Hash: 39315C34B002098BDB28DF69C494AAEFBF6EFC9364F148469D506E7794EB70DC048B90

Uniqueness

Uniqueness Score: -1.00%

Function 011B9890 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3760d0b01ea7dce7525963a8150f6c563c57d1f35c01f8060388d150a6af6bb6
Instruction ID: 4197fb610e081a47f998891a9cf64975cb6edeff8df5f4e73a7030ee118a9db5
Opcode Fuzzy Hash: 3760d0b01ea7dce7525963a8150f6c563c57d1f35c01f8060388d150a6af6bb6
Instruction Fuzzy Hash: AD4149707102198FCB58EB79D894AAEBBF6BF88714B11856DE506D73A0EF709C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B4F30 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01100f1aed0509a6822e3d04872a2a72c02e2867e1b3eb7549759e71490c33b0
Instruction ID: b3cf707f9540533e9f50ae5e9155dd67baa7dbf4c18a1e6a3372755e9483930d
Opcode Fuzzy Hash: 01100f1aed0509a6822e3d04872a2a72c02e2867e1b3eb7549759e71490c33b0
Instruction Fuzzy Hash: E83178B2C002099FDB14DFA9D845AEEFBF5EF89310F10842AD519A7241D778A9458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BD3B9 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7ae066edac8e808135951830133f50ad80cd17a8c219deb2839502d6adba3c
Instruction ID: abd887be3a039a7eb3bd923efd666b4eb0f7ba33aac646ce1bc35cd5e2b3d0ee
Opcode Fuzzy Hash: 1d7ae066edac8e808135951830133f50ad80cd17a8c219deb2839502d6adba3c
Instruction Fuzzy Hash: AA314B74600B05CFCB38DF69D8846A6BBF1FF49314B004A58D1969BAA5D730F946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 011B9E10 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8304d39ba0727678c5a8a15ea572c6d489e6beca49f8d260632e30d8fcfb03c4
Instruction ID: 7fcf04de303fad9baa1810be718d5ca40fa5b46a3cb1d0e10cff7e843f45abb7
Opcode Fuzzy Hash: 8304d39ba0727678c5a8a15ea572c6d489e6beca49f8d260632e30d8fcfb03c4
Instruction Fuzzy Hash: 703117B0A00219DFDB18EF69D899BEE7FB5EF44315F144029E602A72A0DF709946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B5497 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86968269d4530e70e0bb7e2d0388f49337662610dc499b08f49b5c237ac092c4
Instruction ID: f4823352237bad5cdc60feba14d7560c80cb7e3b4f4c3d5873278c51f5dfa4d7
Opcode Fuzzy Hash: 86968269d4530e70e0bb7e2d0388f49337662610dc499b08f49b5c237ac092c4
Instruction Fuzzy Hash: 3831E163A0E3E45FC3079B78ACB41D93FB69DA721530940EFD584CB297D694890AC7A3

Uniqueness

Uniqueness Score: -1.00%

Function 011B61B8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b4970156ee4314ee3c791098909fb86a070a9244ad0a2a10ffab63616a9cc6
Instruction ID: 06cc30c1a153d21056875ef2c1a327a9a7e72cf39be49efbe3fa69f2428053c5
Opcode Fuzzy Hash: 17b4970156ee4314ee3c791098909fb86a070a9244ad0a2a10ffab63616a9cc6
Instruction Fuzzy Hash: 31312B30600B058FE734DF69C8946AABBF1EF99310B144A68D556DB7A1DB30E946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 011BD3C8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe1d86c2b1abd564a3e755a6f1770279a476fe1b621a7a0486e46704e72dd03
Instruction ID: 9b55551c2e845313a069437d472fc1dbec55e21560d5458ca1850d5d1dcaeaf7
Opcode Fuzzy Hash: ebe1d86c2b1abd564a3e755a6f1770279a476fe1b621a7a0486e46704e72dd03
Instruction Fuzzy Hash: 24311A74600B058FCB38DF6AD8846A6BBF1EB49314B144A6CD1969BAA1D734F946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 011B8FC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9b65ef28d4bf1e926b9a75d6138a00e4b5c932a292252fd12bb40f61d6282a
Instruction ID: 135b153b6e7603534a2d0dface927fe7b978d1ed7bfd7df6a688aab8b4d9b002
Opcode Fuzzy Hash: 8c9b65ef28d4bf1e926b9a75d6138a00e4b5c932a292252fd12bb40f61d6282a
Instruction Fuzzy Hash: 51315C70600709CFC734DF29D884AAAB7F6EF89314B144A2CD59ADB7A1D731E806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BD570 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fec1b45d6dad1c3ce0f5ae9f4be8587beed4c93b9fe0894374c11455aae331d
Instruction ID: 6b472e8fd0f719078b31382cdd1ce19c03a489c37c9a11696b24390b9948d9c8
Opcode Fuzzy Hash: 3fec1b45d6dad1c3ce0f5ae9f4be8587beed4c93b9fe0894374c11455aae331d
Instruction Fuzzy Hash: 3B31EB746007058FCB28DF6AD8846A6BBF1EF89318B144A2CD556DB7A1D730E946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 011B9DF0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05942e9b055118b505a6ec242d8cdd2cdc2a3451c0e7a6e08000ae8ef54e23f
Instruction ID: 3c30daea125fdf6c7a269c127e1fbce64ca8b6de738c7f77dfedfdc94762ada1
Opcode Fuzzy Hash: c05942e9b055118b505a6ec242d8cdd2cdc2a3451c0e7a6e08000ae8ef54e23f
Instruction Fuzzy Hash: 39318DB0A00218DFDB19DF69D898BED7FB5EF45314F144169E602A72A0DF709846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0097D688 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3344666511.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_97d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b73b336b222d297ed28edd5f2f8285468bfc15201b1e6a7e3d3c64419633de
Instruction ID: ba924558fb839331e1bd98d0c7e9dc84837338f719121ac421d06d7946977566
Opcode Fuzzy Hash: 84b73b336b222d297ed28edd5f2f8285468bfc15201b1e6a7e3d3c64419633de
Instruction Fuzzy Hash: 472103B6501240EFDB09DF14D9C0B26BF75FF98314F20C569E90D0B256C33AD856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 011B4B3A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbeeddf144a30a8c72c2fefc3bbbdd3a6ed1ecae3b0c0dd83f37e1acfc66f39e
Instruction ID: c25bfa792ca03a93658b7a63f5c0ce1a3c6099e1747ad66dfda3cd0d93281314
Opcode Fuzzy Hash: bbeeddf144a30a8c72c2fefc3bbbdd3a6ed1ecae3b0c0dd83f37e1acfc66f39e
Instruction Fuzzy Hash: 77217A718043488FDB24CFADD584BEAFBF4EF49210F15805AD555AB642D3389505CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 011B32E0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599726e7ef6951343171d38c781b4ec1786d45921c7b33c538d8a1bd683735d9
Instruction ID: ab6340412cfd4b380b9d55ce17a5f00df43f2837db975c649b3c95097967b744
Opcode Fuzzy Hash: 599726e7ef6951343171d38c781b4ec1786d45921c7b33c538d8a1bd683735d9
Instruction Fuzzy Hash: 3D212231B0A210CFCB04DB74D8895AEBBB4FF4A31170481AAD92AD73A1DF309802CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011B8B39 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01622c04cca2769eb714aa30a3cfca6756b5347878d90e7be7144fdf286ecbb
Instruction ID: 8adb1492f33077592681fc11f3cae73b800b90cfa1389c13727f4d51b93b2fbb
Opcode Fuzzy Hash: c01622c04cca2769eb714aa30a3cfca6756b5347878d90e7be7144fdf286ecbb
Instruction Fuzzy Hash: 0821D4727002059BD705EB78E8A17ADB7A2EFC9310F04C529D509AB352DB706D0587D1

Uniqueness

Uniqueness Score: -1.00%

Function 011BEE18 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562545d5774fde6be1256b53123549c70858c4499752b605ed64a00ccd1be091
Instruction ID: 13668fc9a5c325d558010c3e430dcabd1ba7ac5d69290c943af9dc67497e36e6
Opcode Fuzzy Hash: 562545d5774fde6be1256b53123549c70858c4499752b605ed64a00ccd1be091
Instruction Fuzzy Hash: B911B6327056659FCF0A9FA8A8946DD3BB6EF8A3507104496E505CB285CB309C16CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 011BED4F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce41c00675048f6f94a9902ec71e4744532fbba2c6f5f783c8e7a2366fb2373
Instruction ID: 71ccc8a0f8c27ef2ed2a92d9478956124cd532f91665b6179cafb4e026ec4779
Opcode Fuzzy Hash: 1ce41c00675048f6f94a9902ec71e4744532fbba2c6f5f783c8e7a2366fb2373
Instruction Fuzzy Hash: A3112B337042144FDB0A9FB894602AE3BA7EFC93507148459E906CB385DF344D16C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 011B32D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7f76fbc138e3f7c81b8f2a2cac895ad2bbb207ad1560c611907aeb81f75ddf
Instruction ID: c2597ade837973018d525a41098b3a5574ef628bdc0914c7070208732ac9639a
Opcode Fuzzy Hash: fa7f76fbc138e3f7c81b8f2a2cac895ad2bbb207ad1560c611907aeb81f75ddf
Instruction Fuzzy Hash: 2021CF35B19110CFCB18DF74D98859EBBB1FF892117088565D92AD73A0DF30A811CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011BD950 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7debb1f16a7c3a32cf1091bcf83b4bb7246521698203e98c345c98e02bad714
Instruction ID: f39c9cba80b79f325ce8f5898372ff04a37e26378bf076737bf6ecf77b629a57
Opcode Fuzzy Hash: d7debb1f16a7c3a32cf1091bcf83b4bb7246521698203e98c345c98e02bad714
Instruction Fuzzy Hash: 622142713007119FDB05DB78E891BAAB7B6EF85360700CA99F519DF316EB70AC058B91

Uniqueness

Uniqueness Score: -1.00%

Function 011B85E8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548ca2121cbb3a4147ff007c98bf6fefbaa6a3b34469ad21c1dc514199877517
Instruction ID: ba174bb67e48c33b93156e0283da2abef10e7a2a3b7e50144127e7ad07cea197
Opcode Fuzzy Hash: 548ca2121cbb3a4147ff007c98bf6fefbaa6a3b34469ad21c1dc514199877517
Instruction Fuzzy Hash: 11213E30200705CFD738EF6AD89469ABBF5EF44724B008B2DD592976A1DB71E94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 011BE820 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387b8064c018065316eb6a8567a9509e9b4a10cf9dda9c62cfc5f5ac65835b62
Instruction ID: 261d52801927d167e0fc3329c182ae9a5b0b5dff148ecb2d183fb51ea07b0946
Opcode Fuzzy Hash: 387b8064c018065316eb6a8567a9509e9b4a10cf9dda9c62cfc5f5ac65835b62
Instruction Fuzzy Hash: BA21597680024ADFDF14CF9AC884ADEBBF5FF48310F148419E914A7210C339A555CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BEFF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99db7fbd023c82e9f5327ce94bd11adb7191669d1a4a8430cb103b9926361f0d
Instruction ID: c627759a767eafe6b551909a3831a46008912187c5ead833597b92019282d9ed
Opcode Fuzzy Hash: 99db7fbd023c82e9f5327ce94bd11adb7191669d1a4a8430cb103b9926361f0d
Instruction Fuzzy Hash: 0D2114B680024ADFDF10CF9AC984ADEBBB1FF48310F15851AE918A7210C339A556CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011BE4E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40233ec0991a1430bf7210d16c9ec30430805b8aba88f8f8d56b67e6ead14435
Instruction ID: 2c162f4ff0486e8b50ef7559e4409188bde2f8cc0032c9fc0649e57397f98f56
Opcode Fuzzy Hash: 40233ec0991a1430bf7210d16c9ec30430805b8aba88f8f8d56b67e6ead14435
Instruction Fuzzy Hash: DA216D31D1070A99CB01EFB8D8501EAFBB4EF99300F10C66AE598B7111FB30A295CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B8B48 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefe0e7f421f053376655e61d7b4d4f3e3c65e477e0e990d50645ac5e341b67b
Instruction ID: d03b1cdd5d8637d31dfcdc004254c241acb3c5835ff89100f85d5cc7168b0e96
Opcode Fuzzy Hash: aefe0e7f421f053376655e61d7b4d4f3e3c65e477e0e990d50645ac5e341b67b
Instruction Fuzzy Hash: 7B11C4327002059BE704EB78E891BAEB7A2EFC9710F14C928E509EB745DF70AD1587D1

Uniqueness

Uniqueness Score: -1.00%

Function 011B8A48 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b171fc8dc570ada8400e411a3eb9fb3ef9c2cf4f05f4a21499b4ab384008eafc
Instruction ID: 2f82164bae25a8f3bfa8fe2e5d25e1da037a42dce802fafd92ccbb64472e0e7d
Opcode Fuzzy Hash: b171fc8dc570ada8400e411a3eb9fb3ef9c2cf4f05f4a21499b4ab384008eafc
Instruction Fuzzy Hash: 5811B232D0014ACBDF08EFB9D8845DDBBB6EF8A714B09C529D505BB211EB316C16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B89B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6d353439e2ce9a3bdc7b8ea74d03c11943c6158e703cdb2a1c551b8e0f1792
Instruction ID: 30c9a263232eca475e4e4157f2021bf748c545974b0d2e7fb6d52dd0fe56ac6f
Opcode Fuzzy Hash: db6d353439e2ce9a3bdc7b8ea74d03c11943c6158e703cdb2a1c551b8e0f1792
Instruction Fuzzy Hash: 4111543690024A9FCF01DFA8D9809DEBBF5EF4A304B10855AE644FB261E7716E06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B90C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78960fa09c1c89dd151365e6e5251a373d1f52c589a8f6a16c00145f1fa42d6
Instruction ID: f7659bf79aa2fa332bbdcca6779f7de964f8f4df8283466681cda103113e0f8d
Opcode Fuzzy Hash: d78960fa09c1c89dd151365e6e5251a373d1f52c589a8f6a16c00145f1fa42d6
Instruction Fuzzy Hash: 501127B0E04309AFDB19CB68C8809EE7BB6AFC2314F05C5AAD740D7151D3719903CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011B0790 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee36e071513f40db91b75e12c9b6cb76cd81a3ff780fb8b1b0d52f3c5d6f04a
Instruction ID: ea15c58b038d606dd287b06307415bccd2fa5ba60567fd835968232011991848
Opcode Fuzzy Hash: 0ee36e071513f40db91b75e12c9b6cb76cd81a3ff780fb8b1b0d52f3c5d6f04a
Instruction Fuzzy Hash: E611619350E6D09FD30B4B3898A13E67F75DB97208B5640CBD5848B263E626C907C763

Uniqueness

Uniqueness Score: -1.00%

Function 011B0E92 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bb3a2d18972740d27bba8e1ccae6f49e36c52801e388a063c3ef8c72817619
Instruction ID: 3300bdbdd52ae9f7c363e90b6afe6bcc7abe38d77c3cffa460fef327df9e65a6
Opcode Fuzzy Hash: b0bb3a2d18972740d27bba8e1ccae6f49e36c52801e388a063c3ef8c72817619
Instruction Fuzzy Hash: 9111913220C3805FC7075738A86119A7FB2DE87214318C5FED189DF652EE229D07C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 011BA505 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ac2b8f233a8f373d230a8ab01cba0dd4c987065231bc9881774e0528ecc065
Instruction ID: 8a719a0806f598c13e934571e47ed4fb2b851810d78c0be06504ec6f8881f9c5
Opcode Fuzzy Hash: a7ac2b8f233a8f373d230a8ab01cba0dd4c987065231bc9881774e0528ecc065
Instruction Fuzzy Hash: EB11E17290D3C15FD7178738AC665D57FB8DF87220B0981EBD884CB153DB29A8068761

Uniqueness

Uniqueness Score: -1.00%

Function 011BD960 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e087b5166392bd66b4d32341b1bb37e47536bb4338a5b22bc5df9b5f743e894b
Instruction ID: 4fff7a997c7cea8ff6e33555b403ed2a122a49976effe006b03cb2e3803d1e36
Opcode Fuzzy Hash: e087b5166392bd66b4d32341b1bb37e47536bb4338a5b22bc5df9b5f743e894b
Instruction Fuzzy Hash: CD1151313002059FC704DB78E891AAEB7A9EFC5250700CA69F51ADB315EB71EC058BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0097D683 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3344666511.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_97d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: bf6358cf69048d8e516bf7808acf0aa259edee0725a52d4b1ed9c82affdc3f75
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: A811E6B6505280DFCB16CF10D5C4B16BF71FF94314F24C5A9D8094B256C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011B4B54 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93b02a0ffb19bb70ac20e8fee9b7a3eda712055d61e3e4dc1360e0a8443142c
Instruction ID: bc1bea0770e4a710473ac0b4d2558ebb776f531cec9ed137551064a1d1e86617
Opcode Fuzzy Hash: a93b02a0ffb19bb70ac20e8fee9b7a3eda712055d61e3e4dc1360e0a8443142c
Instruction Fuzzy Hash: BA2144B5C04249DFDB10CF9AC884BEEFBF4EB48320F10842AE918A7201D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011BF200 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aad71045c7a6ec5e8f5da45c44c5dc060071fa2a1c924e1c41349d7503b454
Instruction ID: a07d835aaf636e1f38ce192fe1e15b9f00372d3989b9e2e4490843d569d7e298
Opcode Fuzzy Hash: b4aad71045c7a6ec5e8f5da45c44c5dc060071fa2a1c924e1c41349d7503b454
Instruction Fuzzy Hash: F901627B7401108B8708DA6EF89496EB3EAFBC9761314857AE50AC7311DF32DC138794

Uniqueness

Uniqueness Score: -1.00%

Function 011B90D0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17306aa7a37159687a737121fee90f24aac1c4c267d3f92c0a2a104c3f6347d5
Instruction ID: cb327cf51c7b0375d07fcb913c8fd6be04aad695b2c7871ca22835a907f77b74
Opcode Fuzzy Hash: 17306aa7a37159687a737121fee90f24aac1c4c267d3f92c0a2a104c3f6347d5
Instruction Fuzzy Hash: E111E1B0F00209AFDB28CB69C880AEBB7B6AFC5710F10C5A9D604D7140E7719902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011BC780 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f1cce947d9e5fdcc3c5e15529785e7237564a6b5286f1f3e383b6aab88e573
Instruction ID: 03d1284981af014888c6e0ed6c56452712864b4c8ad06516199f33afb87f1476
Opcode Fuzzy Hash: 47f1cce947d9e5fdcc3c5e15529785e7237564a6b5286f1f3e383b6aab88e573
Instruction Fuzzy Hash: F311E831E04259CFDF18EFA8D8A4BEDBBB1AF89311F000469D105BB3A0DB742944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011B8AAD Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a841e8dc10b3fae71318fcbce47a731ed715419640e9a255cdb686efa8c80f0e
Instruction ID: 1c3d677bdaf415754bc9296093eebcf78c2f17c57b3d2ae7708b5d0c896dafd4
Opcode Fuzzy Hash: a841e8dc10b3fae71318fcbce47a731ed715419640e9a255cdb686efa8c80f0e
Instruction Fuzzy Hash: 43115531A0404ECBCF08EFB8D9809DCBBB2FF85304B15C564E145AB212DB31E946CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011B89C8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e338547aa52fd0a7a8ad724ac204e8e1289c4e5fa4c670e662987a0f6bc370e0
Instruction ID: 7c8f4ae9d8cd8a1975ba0682b8b90ca96bc613decacbfb6d1ce6bceed5d6e934
Opcode Fuzzy Hash: e338547aa52fd0a7a8ad724ac204e8e1289c4e5fa4c670e662987a0f6bc370e0
Instruction Fuzzy Hash: 0611123690020ADFCF40DFA8D9409DEBBF5FF49314B108569E609BB251D771AA1ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 011BF160 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70902b56314e040d59dbd01d69d16bf9ff98848704c3d5f8522f8bb09ca4f06
Instruction ID: 48f244da0bf13a2fba71f95ac04a734a6303c09cc1306d03ffc41f2f18c774b1
Opcode Fuzzy Hash: b70902b56314e040d59dbd01d69d16bf9ff98848704c3d5f8522f8bb09ca4f06
Instruction Fuzzy Hash: B90180716093518FCB069B7DECA068ABBF9DF8725070484DBE409CB256DB64AC1987A2

Uniqueness

Uniqueness Score: -1.00%

Function 011BE4A1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ec65d565fe8a8737c81b71b56fb9927da6dcc46c8ac4d583f60bc418b23d6e
Instruction ID: baf4b8d3caf4aeebc07017288f145dd85ac175dcde312f40eed029be8f45f51e
Opcode Fuzzy Hash: 40ec65d565fe8a8737c81b71b56fb9927da6dcc46c8ac4d583f60bc418b23d6e
Instruction Fuzzy Hash: 97119A70905345CFCB29DFACD4C4AE97FB0EF06320F148A8AE064DB2A2DB749541CB82

Uniqueness

Uniqueness Score: -1.00%

Function 011BA545 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95be986b0243ace1652ee63575a455263d19a88c51e0e94434cfcf02ad08f968
Instruction ID: e5fd8ea399de3ca0cd55b865091c21134059990b6b8d92a701182c688e2baf9e
Opcode Fuzzy Hash: 95be986b0243ace1652ee63575a455263d19a88c51e0e94434cfcf02ad08f968
Instruction Fuzzy Hash: 6D01A46390D3F15FD7175A3CA8746D63FA88FA7128B0A00EBD484CF293E9058D4987A7

Uniqueness

Uniqueness Score: -1.00%

Function 011BC770 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f419276d971b9ee0cc4b3601aea74a826ff9b73a58685edb9c712284544758f
Instruction ID: 003d07db60ac83b9832b405c6e3efb754ab036cc8b456a2f286490add36366e3
Opcode Fuzzy Hash: 4f419276d971b9ee0cc4b3601aea74a826ff9b73a58685edb9c712284544758f
Instruction Fuzzy Hash: 7C110371E00218CFDF19EFA8D8A0BED7BB1AF4A314F010469D102BB2A0DB742940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011B8C0F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6672d404f510979bb06ea1ea5e77b163c7445076469eeceb089cc67ad6be9439
Instruction ID: 900a4717fe7a3d856af12c15f46a5f1e73b1ac1a979d35cdf287a2d27b04de96
Opcode Fuzzy Hash: 6672d404f510979bb06ea1ea5e77b163c7445076469eeceb089cc67ad6be9439
Instruction Fuzzy Hash: 2901D6727052045FC705DF7CD8809EABBFDDF86260314862AE549C7352D7719C028790

Uniqueness

Uniqueness Score: -1.00%

Function 011BA590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c756900aa8e2cc8a29102b62aff61499d89ab890a73d1496bc560c147daf1fb
Instruction ID: 85e8e2b8d2e4f6ce36e3704d37eec27354ea4bd576965b2a0b80bfb216e05985
Opcode Fuzzy Hash: 0c756900aa8e2cc8a29102b62aff61499d89ab890a73d1496bc560c147daf1fb
Instruction Fuzzy Hash: 0001DB72F00325ABD7099A6DA85449B77EDEFC8260310896ED515DB305DF71DD014BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0097D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3344666511.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_97d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94cf9dc3016ca2da45570d681781565efb98e33bac6e148c48d518fdf4428cd
Instruction ID: f6c215442724e7b145f40e830c5d0ffc9f4ebc77b41c4a61daa0add4d08c5f2a
Opcode Fuzzy Hash: e94cf9dc3016ca2da45570d681781565efb98e33bac6e148c48d518fdf4428cd
Instruction Fuzzy Hash: 9201F232006340EAEB104E25D8C4B67FFACEF82360F18C41AED0C0A282C2799945C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3344666511.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_97d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f751e7a1054b9be1ee54a091cf5168d26ba8e6faff9e376956176e678d713c
Instruction ID: d8a423dbb25e289b9d97aa2434870f56489b213253ae5f520ac8298f31e9d856
Opcode Fuzzy Hash: d3f751e7a1054b9be1ee54a091cf5168d26ba8e6faff9e376956176e678d713c
Instruction Fuzzy Hash: 4901006250E3C09FD7124B258C94B56BFB8DF53224F1DC1DBD9888F1A3C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 011B8A58 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d672386cf738011e1f8bd48f34f698739a0dea75ebe902a16146d90b37d44b6
Instruction ID: 5024249ac1cf09a1453bae5b6c0b12748637d7186ff7476d0f1ba5c09bd412c0
Opcode Fuzzy Hash: 8d672386cf738011e1f8bd48f34f698739a0dea75ebe902a16146d90b37d44b6
Instruction Fuzzy Hash: 75014F32D0015DDBDF08DFA9D8448CDBBB6FF89310F05852AE545BB250DB316916CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011B3210 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf023a1b288e4fa80de2181b298c6b092688ecc3f265b384ab889b80079dbc72
Instruction ID: 68a3d3be393d0eb51508d9dd0e156e91e7e62dc1f8e00fcee546146d9f8d2477
Opcode Fuzzy Hash: cf023a1b288e4fa80de2181b298c6b092688ecc3f265b384ab889b80079dbc72
Instruction Fuzzy Hash: A8018B30C19208EFCF0ADBA8D9816ECBBB0FF0A210F2081EAC111D7251E7351E90DB41

Uniqueness

Uniqueness Score: -1.00%

Function 011BB888 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3458a87bd184e72f323bf671d86a9bb8746c106eceab8bddcc12a892b8f91617
Instruction ID: b5c646c43cce7529b811bc9a470b95d1f5f3a4a12bad96903868629e1ba4181e
Opcode Fuzzy Hash: 3458a87bd184e72f323bf671d86a9bb8746c106eceab8bddcc12a892b8f91617
Instruction Fuzzy Hash: D8F08C37B0D2445FD728CABEA440A9BBBDECBD4220B14C07FE94DC3740E932A4008768

Uniqueness

Uniqueness Score: -1.00%

Function 011BEDB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e43c3ce909de6fdfae239a1e1485096ccf90790492846e893997493975042f
Instruction ID: 3663753ee0702607483c6d44c806c182b58015d361f3979e357281d4fff6fde4
Opcode Fuzzy Hash: 03e43c3ce909de6fdfae239a1e1485096ccf90790492846e893997493975042f
Instruction Fuzzy Hash: DDF089363001196F8B059ED898509EF3BABEBC8360B004429F609C3350DB715D2597E5

Uniqueness

Uniqueness Score: -1.00%

Function 011B8C20 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97eb12a04dc9f45f3d93a3c67f11c1a531fa20cf2f6e154192b3e04832ab58a
Instruction ID: f4366466befbd66abfc9ce99075aea739774d2e337c4e74d90d9e5e7d0e57368
Opcode Fuzzy Hash: f97eb12a04dc9f45f3d93a3c67f11c1a531fa20cf2f6e154192b3e04832ab58a
Instruction Fuzzy Hash: FEF05E313002049B9714DA7DE884E9ABBE9EF892A0314862AF519CB354DB71ED418790

Uniqueness

Uniqueness Score: -1.00%

Function 011BF188 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99bb2cb1dec662b3a6d38d731ef51f98770da8930851d56bc5ed69197baeb69c
Instruction ID: ae95a584298acbbd731a0180223b6337af62756bda81a9c74018e4ffbb4c0a1a
Opcode Fuzzy Hash: 99bb2cb1dec662b3a6d38d731ef51f98770da8930851d56bc5ed69197baeb69c
Instruction Fuzzy Hash: 17F02E71B003118786199A7EFC909DBFBEEDBC6390300856AE50DC7301DF64AC154790

Uniqueness

Uniqueness Score: -1.00%

Function 011B4F20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ca23fcd50d72073026ee1993092e64b421f4439a7daba97fbf4a52f1f1a3d5
Instruction ID: 57b1c0ccd6c99df2e0c67ce446131d3ae7e5541d8c25c8cdbcb05139928abdee
Opcode Fuzzy Hash: a9ca23fcd50d72073026ee1993092e64b421f4439a7daba97fbf4a52f1f1a3d5
Instruction Fuzzy Hash: B8F02776D483902FCF0A46BC58605ED7FF58B97210718C09FD04ED7753D93248064392

Uniqueness

Uniqueness Score: -1.00%

Function 011BB87A Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9235f5ef0777bcec363127f632065fd2570b2ed11a8f1369032367ffafcbf2ee
Instruction ID: 1ffa39e52c1457e3c98ad2e8d0c79aba67f3b754c7d4e4761ed0a4c479413abb
Opcode Fuzzy Hash: 9235f5ef0777bcec363127f632065fd2570b2ed11a8f1369032367ffafcbf2ee
Instruction Fuzzy Hash: DFF0653670D2505FDB16CBBDA850A8B7BEADF9A210B14C4ABE44CD7241D930E8058725

Uniqueness

Uniqueness Score: -1.00%

Function 011BA611 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c596363e032430d3682b1783d6d5feb382910b52337388ae4a77fa56c307808
Instruction ID: dbbb039a99b8651e8d849978d09dac54100f9833819068c6cc40d95e4024348e
Opcode Fuzzy Hash: 9c596363e032430d3682b1783d6d5feb382910b52337388ae4a77fa56c307808
Instruction Fuzzy Hash: 30F0EC3270425097C7155BAEB49D55ABBD9EFCD621704407DEA0ED7341DF319C058394

Uniqueness

Uniqueness Score: -1.00%

Function 011B0E30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88687f8b1c58463068ea3c4bb0667ca2fdcf459f7275a21dd7938212dd52414
Instruction ID: a7b5df03f76ce8377d75c28861a9018d63c5e67c748942a04e26e96b831e3cbf
Opcode Fuzzy Hash: f88687f8b1c58463068ea3c4bb0667ca2fdcf459f7275a21dd7938212dd52414
Instruction Fuzzy Hash: C4F05E322083409BC7066778A96519A7FB2DECB211314C4BEE189DBA52EE229906C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 011B3220 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7777656f07f445e855f24495c31c944cd7b6c0cc75612509c3e64b09e989c6
Instruction ID: b6967a2333fd785b3a9e3a2dad50f7fde0a7b9591745e95f6d7f1da421781e21
Opcode Fuzzy Hash: 6b7777656f07f445e855f24495c31c944cd7b6c0cc75612509c3e64b09e989c6
Instruction Fuzzy Hash: 32F0E730D00208EBDF49EBA8D4856ACBBB1FB49211F6081A9D515A7250DB341E94EB51

Uniqueness

Uniqueness Score: -1.00%

Function 011BF0B8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf4a951bc833f7bb21e7bef417bd44635db383b40c4f3ef4513a179eac69c8b
Instruction ID: a36edc69ef712a5cdbdf2106d6513bb1af2fc0cce4ad33917c74121bb2c34e1e
Opcode Fuzzy Hash: acf4a951bc833f7bb21e7bef417bd44635db383b40c4f3ef4513a179eac69c8b
Instruction Fuzzy Hash: 99E02B727463418FC305A6299C90947B77BEFC5311B2584BDE10CDB356CD719C46C750

Uniqueness

Uniqueness Score: -1.00%

Function 011B55B9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f66d45fe789b60644db340c82f2190aaff0877485ab97b5f10ce917666d52d
Instruction ID: f768dcd8a069018a2b4dea54024ef9c94f020c72208262b705b12106b533986c
Opcode Fuzzy Hash: c0f66d45fe789b60644db340c82f2190aaff0877485ab97b5f10ce917666d52d
Instruction Fuzzy Hash: CEF0B471905388DFCB41DFB4D8156A97FB59F46205B0585EDC444C7263E7311A149B41

Uniqueness

Uniqueness Score: -1.00%

Function 011BDE10 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aadbd4d74fb319dc15357a0af78889a850f5b887a99801c724f9e3e248e8fa1
Instruction ID: 4fb93a3a6543bc9210010597eff8328f35c5302a172a1dff74b5fb232b69142e
Opcode Fuzzy Hash: 7aadbd4d74fb319dc15357a0af78889a850f5b887a99801c724f9e3e248e8fa1
Instruction Fuzzy Hash: 3DF0F971D00215DFCB44DFACD941A9EFBF0EF49304B148099C519EB215E3319A22CF81

Uniqueness

Uniqueness Score: -1.00%

Function 011BA620 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d2ee3112b50f3426f0db57675de5214de5e4f6a311db67942b84253f0a7b6b
Instruction ID: ed88be2b87909e27130f220d4cd45cb2674aa30199b60d3ef8431b43cbc8c639
Opcode Fuzzy Hash: 85d2ee3112b50f3426f0db57675de5214de5e4f6a311db67942b84253f0a7b6b
Instruction Fuzzy Hash: 18E04F32700614979714AAAEB48D56ABBDEEBCD661754843DE60EC3380DE718C068394

Uniqueness

Uniqueness Score: -1.00%

Function 011B0E40 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff51b5b1d90f1866a908bef155b1d804379b783247859d970bc1db3747cd694
Instruction ID: 4e13b736c4cbf14c7926475140fbf26f39b321de695e5c490570f1647a6cf15b
Opcode Fuzzy Hash: 6ff51b5b1d90f1866a908bef155b1d804379b783247859d970bc1db3747cd694
Instruction Fuzzy Hash: 4CE09A322082009783056778A8655DE7BE6EAC7321300C97EE24ACB700EF32A9028BE1

Uniqueness

Uniqueness Score: -1.00%

Function 011BF0C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f61132bcd3becfe1bbcdb70c729bcd108cebb9a3aabfda624093c33b9e1d77
Instruction ID: 8d9da7478994989e0ad87e7f8787327c15e1dbfbfc5a6ad184994c8a770e352a
Opcode Fuzzy Hash: 31f61132bcd3becfe1bbcdb70c729bcd108cebb9a3aabfda624093c33b9e1d77
Instruction Fuzzy Hash: F4E026327013114BC308A61AE880A57B3AEEFC9764F208438D10CC7345CD729C428390

Uniqueness

Uniqueness Score: -1.00%

Function 011BDE20 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ff6bc254d7cd5473e00a45700fe49115608fcd2f24a98ada941ba16ab53b54
Instruction ID: cce672c14e846542e03539b00f4c3d0f37f131ede4a1c6a6136e26134b9e560b
Opcode Fuzzy Hash: 43ff6bc254d7cd5473e00a45700fe49115608fcd2f24a98ada941ba16ab53b54
Instruction Fuzzy Hash: A3F09271E00219DF8B44DFADD84169EFBF5EF89200B64816AD919E7211E731AA128FD1

Uniqueness

Uniqueness Score: -1.00%

Function 011B5570 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5dd0f330961e9381595c580968d91b909781f3e5305194c61b94363614b565
Instruction ID: 6e14f12d57354168efee609d68d007f27e3a5d36c1b062ecd6c68b47125d4121
Opcode Fuzzy Hash: 7e5dd0f330961e9381595c580968d91b909781f3e5305194c61b94363614b565
Instruction Fuzzy Hash: EEE0EC373001985B834CB6BDB81846E7B9EEBDE662314C126F956CB388CF749C02C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 011BDE54 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da90773fc0bf7ba40a96de06e5f7d2ef5547f51f64cc4d21e5d8033a847abbe4
Instruction ID: 30ccc6d6ca9f7e6981cf74e3c2b9be2de5185346204abee395fb1a6a80768a3f
Opcode Fuzzy Hash: da90773fc0bf7ba40a96de06e5f7d2ef5547f51f64cc4d21e5d8033a847abbe4
Instruction Fuzzy Hash: 19E01A71B005298FDB58DFADA8006EEBBE5EF883507018559EA25DB214EB348A118B95

Uniqueness

Uniqueness Score: -1.00%

Function 011B3287 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e88c151c9b18279077fff9080e3c9018b9321b252de73e8ea0cabfda30c288
Instruction ID: 1fe02489285a9efc3957900ba3266d727d7ac92c4a59d354b7da14c6aaa735ce
Opcode Fuzzy Hash: c4e88c151c9b18279077fff9080e3c9018b9321b252de73e8ea0cabfda30c288
Instruction Fuzzy Hash: 04E06D322092558FC712DB78F8516DD3BF1AE86310B0D4DEED1408B192C770A9088381

Uniqueness

Uniqueness Score: -1.00%

Function 011B5038 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dd8ee4e2f442978761f09cdff5be20df95cc17a4d67abce79c4d15ec43542e
Instruction ID: 717d1307eb8e68601aae6e339d0a2f4ab228e75e84366aa90390b42568c0c521
Opcode Fuzzy Hash: e2dd8ee4e2f442978761f09cdff5be20df95cc17a4d67abce79c4d15ec43542e
Instruction Fuzzy Hash: B9E08C30608301DFEB2ACF28DA808953BB5AF5620071641EBE848CB632C331CC15CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 011BB841 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d29223e7b57fae362f8545ba238dc8dfcdebcb50725e2fb297b11cf28303b83
Instruction ID: 67c8ab30b8522fe5b652fbcfa75fbe6183a2df4926986ed48de8ccda70322548
Opcode Fuzzy Hash: 2d29223e7b57fae362f8545ba238dc8dfcdebcb50725e2fb297b11cf28303b83
Instruction Fuzzy Hash: 94E04F7054D2905BC746DB28E5881D87FE4AB17620F8804D9E5858BA56D724A846C792

Uniqueness

Uniqueness Score: -1.00%

Function 011BA4E5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ad2efa66003c134080fa26a5227a205c1fa9561c707a903b4beb8527e56d84
Instruction ID: f68fd25041ea94d8ad4be8bfd79350a62b31219bfd9c3ded5954d88241f4e68f
Opcode Fuzzy Hash: 79ad2efa66003c134080fa26a5227a205c1fa9561c707a903b4beb8527e56d84
Instruction Fuzzy Hash: 51E0867051D3409FC3419F38E9441957FE4AF45204F4544AEE8C9C7645E634A905C752

Uniqueness

Uniqueness Score: -1.00%

Function 011B5048 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441bbd9c0caff1d5bdc415113255ffcc3584a1e0e73f063ca3bb0da4978c42fa
Instruction ID: 0148f618e49c9df2775e3276c7fbb0b8bc5bfbf1e3ad6e689d27c1cff1de7bc4
Opcode Fuzzy Hash: 441bbd9c0caff1d5bdc415113255ffcc3584a1e0e73f063ca3bb0da4978c42fa
Instruction Fuzzy Hash: CED05E307002098FF66CCB29D48895133BABB44640B2100A6E5098B23ADB21EC01CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 011B55C8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760572e3dfb3a957e1f1fb877a8c949d243916e6a1eb8bce9a3df50bbf44e278
Instruction ID: 54496dce3bd99a8e3bea52263831dbf5cefb0b31ee997031a8cccfcd4f29f426
Opcode Fuzzy Hash: 760572e3dfb3a957e1f1fb877a8c949d243916e6a1eb8bce9a3df50bbf44e278
Instruction Fuzzy Hash: DAD0127090120CEB8B40EFB4E90169DB7B9DB49241B1085A9D808D7200EA312F109B51

Uniqueness

Uniqueness Score: -1.00%

Function 011BE4B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1524d14a8c4d4bcc746f3d3ca9880205c68e2bc85f0b52caf5e27f8957e627b9
Instruction ID: 70f8bff38d42c48e6d9786800a8148be1ac98d7ea8483be397de09270ac4e19a
Opcode Fuzzy Hash: 1524d14a8c4d4bcc746f3d3ca9880205c68e2bc85f0b52caf5e27f8957e627b9
Instruction Fuzzy Hash: 0CD0C73241470D89C700BBB8D455469F778EFD5200F00C65AE44957122FF70D5D0D681

Uniqueness

Uniqueness Score: -1.00%

Function 011BD6B7 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ded35ada493c8d3ea505ee18788ed6eb6747999391908753af2f14de58fe817
Instruction ID: 2109e456a2db9a667c6b92755dfb67ee205627772e6c501bf3d80aa8b6d93d5e
Opcode Fuzzy Hash: 6ded35ada493c8d3ea505ee18788ed6eb6747999391908753af2f14de58fe817
Instruction Fuzzy Hash: E3D05E3454D6408FCF16DF2DED845007FA0AB0B32071012CBD4A4CB1E2DF2054058B11

Uniqueness

Uniqueness Score: -1.00%

Function 011B0F30 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2983f864a9e996d0f672dbb39a0ae570a1394edd5b1e7ed54a8961ee16d23ff5
Instruction ID: 79c8bd5c59c3a8eef336d85e0662f7a4e04ea05a6fd0a643e452155f3ddb695b
Opcode Fuzzy Hash: 2983f864a9e996d0f672dbb39a0ae570a1394edd5b1e7ed54a8961ee16d23ff5
Instruction Fuzzy Hash: 93C0122021E2800FD702DB249C20012BFA28F83108318C0CAE090CF26BC627D903E701

Uniqueness

Uniqueness Score: -1.00%

Function 011BF29A Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3346616163.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11b0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bce35182ed25a41385a1c08f932c2c331a298f63a185130dcba68c24212a06
Instruction ID: bd74fa049e646971de1522fee3795c6976f13746618fbcb74d2c6e772aa7a3f8
Opcode Fuzzy Hash: 75bce35182ed25a41385a1c08f932c2c331a298f63a185130dcba68c24212a06
Instruction Fuzzy Hash: D1B092B1615501DBC700DB50C388886F3A0EBA0300B118162A5088A20CCB30A822CA42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ScreenConnect.WindowsClient.exePID: 7020, Parent PID: 5964COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD34BA4BFC Relevance: 2.1, Instructions: 2142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0074ffa6208ca0e308f00b43a0a61a74dc037862cdd1e5ff4bfcd00a6b5ceecb
Instruction ID: 7f23daadcb95fe5409d75a721c1668f3d8b5b760a796085baa35f5c793c7d2bf
Opcode Fuzzy Hash: 0074ffa6208ca0e308f00b43a0a61a74dc037862cdd1e5ff4bfcd00a6b5ceecb
Instruction Fuzzy Hash: D9F2C170E09A198FEBA8DB28C8A47A877F1FF59300F1441B9D54DD7292DE38AD81DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA21F3 Relevance: .7, Instructions: 712COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffc048444f494b0a8d4c47d6aadbad0b54d7283b759c48ad14a425d72e6a2ff
Instruction ID: 3aca0f241b7b225f782f46230229696f991af01773987e53137c1ad058470393
Opcode Fuzzy Hash: 5ffc048444f494b0a8d4c47d6aadbad0b54d7283b759c48ad14a425d72e6a2ff
Instruction Fuzzy Hash: 25222A32B1E94A4BEBED9A2894B56B433D1EF95704F18017AD98DC72C7DD2CBC069342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA34CF Relevance: .5, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5263133df6ad1a0701c8d57ce2b92f4f04242af50c2c1a6fa2d7b7fe2dd07028
Instruction ID: 8a1ad5c1677922424660ceee63ea15f1e9b10d0f3b2935467673c6aea8cc000a
Opcode Fuzzy Hash: 5263133df6ad1a0701c8d57ce2b92f4f04242af50c2c1a6fa2d7b7fe2dd07028
Instruction Fuzzy Hash: FAF1C631F1EA174BEBD9972884B16B977D2EF9A340F544079D54EC32C2DE2CB806A352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA1B4D Relevance: 5.1, Strings: 4, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hy4, xrefs: 00007FFD34BA1B76
py4, xrefs: 00007FFD34BA1B90
xy4, xrefs: 00007FFD34BA1BAA
py4, xrefs: 00007FFD34BA1BC8

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: hy4$py4$py4$xy4
API String ID: 0-1667221705
Opcode ID: b24f93e663ebc54e7cb9b9a4b63c5441662d39cf4a275875aa0e84a7eed4e8de
Instruction ID: e880c5f86360e448bf98addd49fdbc6ad41da0f020d52ccf0817898ddedcd610
Opcode Fuzzy Hash: b24f93e663ebc54e7cb9b9a4b63c5441662d39cf4a275875aa0e84a7eed4e8de
Instruction Fuzzy Hash: 7B11B472E0EA8C4BEFD5DF6858B41A87FE0EF56304F4D00AAD158D7292EB24A409C703

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34897E84 Relevance: 1.7, APIs: 1, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFD34897FB2

Memory Dump Source

Source File: 00000009.00000002.3358595307.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34890000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: e90ad5d7d77d0b6d08df343cac22c53663b691bb94ef5c428c8b41aae047d777
Instruction ID: ba5c5fa57adcb6c7bc5ac6da567d1d8b7d1bd9fa3fc5c96373661a36f74226d7
Opcode Fuzzy Hash: e90ad5d7d77d0b6d08df343cac22c53663b691bb94ef5c428c8b41aae047d777
Instruction Fuzzy Hash: 7A514A31E0CB498FD715AFA89C565F9BFE0EF56321F04017FE489C3292DA68A84687D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA1299 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea4dad83d7535526df9df530983ca8de0257019887543db9cdafd20800ba558
Instruction ID: 95dba525f22994522294cf3d8fa65579d0d3a5bab90549df19faa32dadbe9b33
Opcode Fuzzy Hash: 8ea4dad83d7535526df9df530983ca8de0257019887543db9cdafd20800ba558
Instruction Fuzzy Hash: 79B10C32B0EA4A1FEBE5EA1C98A24F577D1EF56310B44017ED54EC7583DD28F8468782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA249C Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0586513042c5451c7b03c422e2d55b820223294bd9e3a4ea3ea5a0e798bc9e2
Instruction ID: 650459d271b923ccb2804eb01421bf6911d6e16881c98a94b02ba2bbd2a4f30c
Opcode Fuzzy Hash: c0586513042c5451c7b03c422e2d55b820223294bd9e3a4ea3ea5a0e798bc9e2
Instruction Fuzzy Hash: 54B13821B0EA4A4FEBED9A6854B52B437D1EF96704F1801BED58DC72C7DD2CA806D342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA6655 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71065581e095e606696d3c615c3c597358920d38b91c3f7b66372d4ffbb9643a
Instruction ID: e5ec46c4303d3cdc8f2cc953298ef5e5fac27b777b1d8a9f89eb3ae745f167d8
Opcode Fuzzy Hash: 71065581e095e606696d3c615c3c597358920d38b91c3f7b66372d4ffbb9643a
Instruction Fuzzy Hash: 0FA1BF61B1994A8FEFD4EB6C84A5BA973E2FF99300F1801B9D44DD3296DE38BC418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA04E8 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adedb427fce985f4cb4c9273bd93e3733a7b07523c57a63f975a333dd8d55c96
Instruction ID: 135e0fa7583b81340b7ff6ebd437abc4fdaef856aa8ec5bc4d91f9c5d148418e
Opcode Fuzzy Hash: adedb427fce985f4cb4c9273bd93e3733a7b07523c57a63f975a333dd8d55c96
Instruction Fuzzy Hash: 73716E3271CB0E4BE768591CA8D517673C1EB9B3A5B00017FDA8BC3252ED69EC435286

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA0DCD Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ded9eb2c383e6a5c7ce96f7cd6b8b98709f164a284d0b38b4d2f33542ed3d39
Instruction ID: a86329bb2195f9a8e1906b63be5c991d1e81343614fb2a37c0ea4e89303b10ee
Opcode Fuzzy Hash: 7ded9eb2c383e6a5c7ce96f7cd6b8b98709f164a284d0b38b4d2f33542ed3d39
Instruction Fuzzy Hash: 5BA1DF34709B098FDBDCEF18C0A5A6573E2FF69304B6449ADD059CB697CA26F842CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA34D9 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a58a25eb53ab76ddc91ef58f9e652311dd460b9ad4a0439b0fc949e6398cb6
Instruction ID: 67f0a93ace88773b02fedab2741e46021db8b04242ad8a64bc3061852b02ca5b
Opcode Fuzzy Hash: 64a58a25eb53ab76ddc91ef58f9e652311dd460b9ad4a0439b0fc949e6398cb6
Instruction Fuzzy Hash: D5A1B931F0EE474AEBE5972844F16BD26D2EF96344F541039DA0EC32C2DE2CB841A752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA2524 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea8568c06958ed98177b0b3e7cfe2cb4e42594f3cb1f059a4ed1c2708560235
Instruction ID: 029ac506ffa13b98078008efe2ea364b4ddabeb3410d1c0b9dd2154ee3c14c8c
Opcode Fuzzy Hash: 3ea8568c06958ed98177b0b3e7cfe2cb4e42594f3cb1f059a4ed1c2708560235
Instruction Fuzzy Hash: 1991F261B1EA464BEBED9A2844F56B422C1FF96704F08017ED98EC72C6DD2CE8059342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA13B3 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916ad37f804711b38f71cc673ab94cdf91af7876504200c638bc00a04921aee5
Instruction ID: d1cb8874910eeee4bb0cb33997691301c541671b70f0927c15e3503021fc2bca
Opcode Fuzzy Hash: 916ad37f804711b38f71cc673ab94cdf91af7876504200c638bc00a04921aee5
Instruction Fuzzy Hash: 2E819432A0DA0A4BEBE9EA18D4A24F573E1FF65310B54453DD54FC3582DE38F9468B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA26FE Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a780d3e87b3bd410be3f0128368e7abdfd8ed9eaa3552b67eea21da04b22c732
Instruction ID: 7bf15f15520a8602fd6bf6f91cffed9df98f26c3ae9d3055021c66a9b52344c2
Opcode Fuzzy Hash: a780d3e87b3bd410be3f0128368e7abdfd8ed9eaa3552b67eea21da04b22c732
Instruction Fuzzy Hash: 3C513662B1EA464BEBECDA6844B56B433C1EFA5704F18417ED49EC7282DD3CF8459382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA27B8 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980dedcf410513ba1a7581ae63054116bfb3a03766bcc27c41dbe66cf90755fc
Instruction ID: 1e6cf9947ea1e839b1e85dd982bae79b449ab1687199c830458769e0288d620f
Opcode Fuzzy Hash: 980dedcf410513ba1a7581ae63054116bfb3a03766bcc27c41dbe66cf90755fc
Instruction Fuzzy Hash: 60513562B1D9864BEBECDA6844B56B433C1EF95704F1841BED48EC7287DD3CE8459382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA2126 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c599b67623db1d7d936a446859fdcdb6c42e1b1108c9130d90672248ccb6a2
Instruction ID: f913a13b4b64242fdefe8fdb58aa3adc64c3568aa5cab290da6806dd0506103c
Opcode Fuzzy Hash: 74c599b67623db1d7d936a446859fdcdb6c42e1b1108c9130d90672248ccb6a2
Instruction Fuzzy Hash: BD41552170D94A0FE7AE6BA8E4B52B837D2DF8A300F1401BAD64DD72C7DC1D68028342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA83F5 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a248a3c9b5cf125a4b5cfd637fe1b754c36893256e13f1ab85628cbeaf58b600
Instruction ID: 1c9c9e10050c69624ff65fad857a47f91761888bb566e84acd748351a9451a16
Opcode Fuzzy Hash: a248a3c9b5cf125a4b5cfd637fe1b754c36893256e13f1ab85628cbeaf58b600
Instruction Fuzzy Hash: FC411852B1EA8A0FE7D5E76C58B52B47BD1FF9A240B4841B6D50CC3287ED1CAC065382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA4A48 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b960180a7902379956be5c4de909bf28bdc8bb3927ebc0e90b933c1bbb973e
Instruction ID: af096a0f37743fc1e9e29e58d3f095d0c4a5f40e3b2e9e343aba8e9399d707a8
Opcode Fuzzy Hash: 50b960180a7902379956be5c4de909bf28bdc8bb3927ebc0e90b933c1bbb973e
Instruction Fuzzy Hash: 53410762B0D94A4FEBE4DA1888B97B937D1EF9A340F040579E51DD32C3DE29BC069742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA83F8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977fd2b4ff04a9b0485d8fcc44beda8e6ca82e7e2b0539703daa84137c1e82eb
Instruction ID: f045f998a0e899ccef763540b842d7ff9d4dd8963e11ac50c61a91af43f05602
Opcode Fuzzy Hash: 977fd2b4ff04a9b0485d8fcc44beda8e6ca82e7e2b0539703daa84137c1e82eb
Instruction Fuzzy Hash: 6C411952F1EA8A0FE7D5E7AC58B52B47BD1FF99240B4841B6D14CC3287ED1CAC025382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA16F2 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ab7970941468ed89acfdcffc4fb41069d5af407dafa6ebb80ebe5cba3d10fc
Instruction ID: 33a5e84b975d18177ebb11eb93a0aa51309b87d177bfd8d0335e1b47a7fe61e0
Opcode Fuzzy Hash: 90ab7970941468ed89acfdcffc4fb41069d5af407dafa6ebb80ebe5cba3d10fc
Instruction Fuzzy Hash: BE41AE66A1E3961FD383A7BC99F41E53FA0DF1331870800B7D298CB193F91CA84A9752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA1CB9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5113afaf9ba9d78e17fbfdf315747f82323ac9da486da74da354d9d4d091291
Instruction ID: 52655aeecb7a3770c3b9ae7999dbe6e0bb88969ce2dd28f2d027d738ff4f3eb5
Opcode Fuzzy Hash: c5113afaf9ba9d78e17fbfdf315747f82323ac9da486da74da354d9d4d091291
Instruction Fuzzy Hash: 2A418071709A898FDBC8DF28C8A4AA537E1FF59304B1401ADD46ECB2D2CB35E852DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA70D5 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b08c728fb896c7d00d6c70a1582185a365b04de84963e75c2f83c0be797d3ea
Instruction ID: fb134f9c4b271d32da0ee82f93a942907f1828fe7961606709b3fd0c50ae56ea
Opcode Fuzzy Hash: 9b08c728fb896c7d00d6c70a1582185a365b04de84963e75c2f83c0be797d3ea
Instruction Fuzzy Hash: 70311731B1DD0A4FE790EB2C98A96B9B3D1EF95250754067BD40DC3292DE28EC428782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA93CB Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbef858c3dd901eb40475f3710d212ad37acfce5b36a9d6ad1ab75dfceb7b10a
Instruction ID: 560c8b67aa45bdc205a70c78c18f21d66c5ff2f6588d775aa20eba260194a1f2
Opcode Fuzzy Hash: bbef858c3dd901eb40475f3710d212ad37acfce5b36a9d6ad1ab75dfceb7b10a
Instruction Fuzzy Hash: 46319E70A0DA4C8FEB94DF9CC85A7EDBBF0FB5A311F00816AD149D7241CA74A846CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA00CD Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee74c5ff7f13fc20b717aacfd84d78c285bc0546ea9488623c0f8b486019ad7
Instruction ID: 945112028b639b2365c1e5f4c7e2e234b2442674406e36edc7f653308f89ecd2
Opcode Fuzzy Hash: 5ee74c5ff7f13fc20b717aacfd84d78c285bc0546ea9488623c0f8b486019ad7
Instruction Fuzzy Hash: 33212852B0ED990FDBD4AE6C58E8AF433D1DF9A204B0801BFE54EC3187DC28AC068341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA90B2 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654b3525f6a2c0db4757205c8778bec78b2665cf4f876ab234f22962575970f4
Instruction ID: a38231dd1669ba7623b5de257c5d5e92b2bca28d24478ecdf08945d4007d43dd
Opcode Fuzzy Hash: 654b3525f6a2c0db4757205c8778bec78b2665cf4f876ab234f22962575970f4
Instruction Fuzzy Hash: A8312631F0A61A0BF7D4E72880F93A936D1EF46300F50487AD64DD36D2DE2CAC496782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA69D7 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57ea9687e61d5ef4abbb50c0dbedd292fab939cba76e63a922831d4ef2659c5
Instruction ID: c49c1e396fdbbdaa01806871ea489cbca1e0029314a3f7f3f716841eca9c72f6
Opcode Fuzzy Hash: d57ea9687e61d5ef4abbb50c0dbedd292fab939cba76e63a922831d4ef2659c5
Instruction Fuzzy Hash: 33216DB1B0EA860FDB99DA1898E52A437D1EF52300F0440BEC59EC7293DD29BC178782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA4B36 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7698bab876fbf807e92c2a66102d78ff99a73183fa1171795cbdb1a0dc1981b0
Instruction ID: ae911d04626a007242a02bdac53a1382a4e987d346ae718e80dbce0d1be40794
Opcode Fuzzy Hash: 7698bab876fbf807e92c2a66102d78ff99a73183fa1171795cbdb1a0dc1981b0
Instruction Fuzzy Hash: F9219061B1D94A4FEBD4DB1C88B97A537D1FF99704F5401B9D41DC3286DE38A8068742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA15F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b140399cd764495cb8763cae9242991a03f8f4d95f5229c7555caf3e450900
Instruction ID: 1cfc30d61526e725ff2c0a8f48ea7463a0e5e7e103e5137056ab9f14de251af6
Opcode Fuzzy Hash: c2b140399cd764495cb8763cae9242991a03f8f4d95f5229c7555caf3e450900
Instruction Fuzzy Hash: 5D117D51F1A94A0FE7D5A76C18F55E16B91EF96220B5C81FAE00CC318BDC2CDC468391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA0A59 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070595355731e8d9d7b46c002c04654bbce1d641d62cd060000e3a4d6fac4f7e
Instruction ID: a4721c9407f7b2c73e750550fb54241fb1f721fc9292fee87d7ab9c4c5e66a8c
Opcode Fuzzy Hash: 070595355731e8d9d7b46c002c04654bbce1d641d62cd060000e3a4d6fac4f7e
Instruction Fuzzy Hash: 5611E010F0EA430EF7A5976884F03796AE2AF96300F1D80BAC54DC71E2DC6DAC829352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA92D0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bf11027229edd1db540d7503c7b9bec5601ba86dceea088d84372f9eea5e8d
Instruction ID: 1e9732cbf4b449146b9f184c9c65c58605e937fded61503392cfb9468f329772
Opcode Fuzzy Hash: 77bf11027229edd1db540d7503c7b9bec5601ba86dceea088d84372f9eea5e8d
Instruction Fuzzy Hash: D8111F71E5592A4FDFE4DA1488A97E873A1EB59304F5001BAD11DE3291DE38AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA79BD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38380ffc082197dd4a814c9e5ebcd4c272bc0da2ebbfa699146aadb4e8418ba9
Instruction ID: 6d9eae0da5043f9fe3d852f4e9dface82a67511f24462f0a627a5b15b238d002
Opcode Fuzzy Hash: 38380ffc082197dd4a814c9e5ebcd4c272bc0da2ebbfa699146aadb4e8418ba9
Instruction Fuzzy Hash: 4701BC2271AE0A4FE7D4FB3C84E92B872C2FB9A241710057AD50DC32A3DD2CA8469341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA862D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befb49c4c83aaf1ed6529eb7b9ea7cc7e338a4daf0cc7d3e8e08f7f0fbe0435c
Instruction ID: c2a04849d6fa520fe8468c4a12afa4d883f95c92c4205f039efa9d92802dc6ab
Opcode Fuzzy Hash: befb49c4c83aaf1ed6529eb7b9ea7cc7e338a4daf0cc7d3e8e08f7f0fbe0435c
Instruction Fuzzy Hash: 2211A135A09A5D8FCB95DB18C8B86E9B7F0FF55300F0002AAC449D32A1DF342986DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA0078 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771fa76f66bbd4c4d0af18a2ed142d5af2ef83bfbb4d72d6292b31d8da4e7443
Instruction ID: dabf7fe4b88bd94b0a09150e3fedfadc289f122e6054cf7a0a3eda531cdcb934
Opcode Fuzzy Hash: 771fa76f66bbd4c4d0af18a2ed142d5af2ef83bfbb4d72d6292b31d8da4e7443
Instruction Fuzzy Hash: D7F0B413B0B94E2FE6D45A7A28E92F463C1EBAB274F480436D149C2292DC5E6C915241

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA94B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c528021898a009f355d7e70d1af4e71fc64adf9be23dbaf74882a8a0d1c97ba
Instruction ID: 56c4a1c8ec4b61e63c771ab278c8a7e9b1de792e59dd48402361d1ae9c4294ec
Opcode Fuzzy Hash: 2c528021898a009f355d7e70d1af4e71fc64adf9be23dbaf74882a8a0d1c97ba
Instruction Fuzzy Hash: C6E09BB254E60C6EA61CAA55AC479F7379CE747134F00111FE58EC2002F156B5238295

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA921D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034f2b015d4756ab7733a9762694922cc97729bd4fcfdb97107de12e3aa45f68
Instruction ID: e0fc880912132d17658a3ac9fbc1193a0cb905250ecbf1a7c78c7c9362267998
Opcode Fuzzy Hash: 034f2b015d4756ab7733a9762694922cc97729bd4fcfdb97107de12e3aa45f68
Instruction Fuzzy Hash: 85015F74A1A9188FDFE4EB18C899E9877F0EF29301F4441E5A10DE7261DE34EE809F41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA0A70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3a6cd802aa84aa3ef29c051599d989d5a668c36e6fc5512f9bd56c28816fbd
Instruction ID: c45dade0d2edeb66995ce341a9cb51b3fd43564ddab59b3f5f7c19093c3fae05
Opcode Fuzzy Hash: 4c3a6cd802aa84aa3ef29c051599d989d5a668c36e6fc5512f9bd56c28816fbd
Instruction Fuzzy Hash: 79E02601F0D91702F6B4A2B5A4F13BD50D29F85350F0980B5D90CC20C5DCADAC8161A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA04C8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baec82fc7d70137c9920f7a4c52d07e173573dbe51cb80676ba87c154c25db39
Instruction ID: cc2b0de8d3cc897672aeb71ca4c94d081f9917bac7ca1de95a5b7150cf3bf197
Opcode Fuzzy Hash: baec82fc7d70137c9920f7a4c52d07e173573dbe51cb80676ba87c154c25db39
Instruction Fuzzy Hash: 9CD05E20A54C0A0AAB0C6A29889887132D1FB64341BC840B5D80EC61A1EE5DD9D8D682

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34BA3EB4 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3366573918.00007FFD34BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34ba0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afbd52d95a0802b17bdd5840704ce1277791774e35765ab58a890b12db771ed
Instruction ID: f460f7e4ee3238e773000ca6b38785c2ceeafc882eb938d33f9e194ac933644c
Opcode Fuzzy Hash: 3afbd52d95a0802b17bdd5840704ce1277791774e35765ab58a890b12db771ed
Instruction Fuzzy Hash: 42E0C22120F7C40FCB02EB3488AC8847F90DE2711034900FEC086CF1B3E81D9848C712

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ScreenConnect.Client.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Windows Analysis Report
ScreenConnect.Client.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre