Edit tour

Windows Analysis Report
https://support.kraftcpas.com/sc.exe

Overview

General Information

Sample URL:	https://support.kraftcpas.com/sc.exe
Analysis ID:	1611144
Infos:

Detection

ScreenConnect Tool

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

Allocates memory in foreign processes

Deletes keys which are related to windows safe boot (disables safe mode boot)

Enables network access during safeboot for specific services

Modifies security policies related information

Possible COM Object hijacking

Reads the Security eventlog

Reads the System eventlog

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6532 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6712 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4092 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

sc.exe (PID: 8128 cmdline: "C:\Users\user\Downloads\sc.exe" MD5: B50C9263DEB4012C20E2506BBE0D2FB9)

msiexec.exe (PID: 4132 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\1f3845d5d6df5ded\setup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

chrome.exe (PID: 6936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://support.kraftcpas.com/sc.exe" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msiexec.exe (PID: 4396 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7228 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 61F318B17FAAF4499342BE750C3161F6 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 7244 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI87E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5343296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 7200 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4A824D98542748AC85E9A056CE1B5C93 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3612 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 76571A3C8D810D70665DBE199B3E4E4C E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2628 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C205AAD155A7D2F3AEB53A3BCBEA8A19 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 688 cmdline: rundll32.exe "C:\Windows\Installer\MSIC906.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5359968 12 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

ScreenConnect.ClientService.exe (PID: 1088 cmdline: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c=" MD5: 89D3D099B6D8731BD1B7F5A68B5BF17C)

ScreenConnect.WindowsClient.exe (PID: 304 cmdline: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "c4ec8d85-e3dc-4c97-8588-e3159350bf27" "User" MD5: 19E093BC974D1ED6399F50B7FA3BE1F8)

ScreenConnect.WindowsClient.exe (PID: 1176 cmdline: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "8efc418e-e48b-4494-8e58-8dbafeec5d32" "System" MD5: 19E093BC974D1ED6399F50B7FA3BE1F8)

ScreenConnect.ClientSetup.exe (PID: 2784 cmdline: "C:\Windows\TEMP\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe" MD5: D8FFEB7053270F96D65CC934EC2458C9)

msiexec.exe (PID: 2292 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\1f3845d5d6df5ded\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

ScreenConnect.ClientService.exe (PID: 5696 cmdline: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA6hOeZzRi30awChR5w%2b4wgAAAAAACAAAAAAAQZgAAAAEAACAAAAC3Q5YVtXedXRBx4wJROHFnCdsQsEf7XIe0wl0WnFCByAAAAAAOgAAAAAIAACAAAAAw%2br0ZRKwqygT3OCXreryD2ZZRbTaFkwLZtWb4ezq7%2fKAEAADENwQEyG29MsXa91sVvk6mp7ykaecxtdAgjpzT0zvytZaIQAdGPWej4263JKxpUCs3ouCqW6eF8RLhvaINhyStlfuOLjpxP6g3ONrSW0tmbnGwS8BWoQyfKKK7MOnnLKws51U5RVCxyEWcRalMZS0CYNFAq9Ol6hY6ZeN5gyIMcwWmUnGT9X0ZFRLXLq5n%2brTfXhE6jmQSU%2bwR6HgzMtTVUU5s%2ffGkoL29aMaxLF05PeSim2rAv26RLKBMT2vOK9BxExrqMb%2fHOfIU09WaslOMmafg4QuA%2ficLQHSjdJygwGIeW59S%2bEDVKtZ2cznWSkO6wVzjjWppR3HQpGssQh7WLVaWIY4xvdOOF93YSklNVxekvjcwLNotNuAQO3hbUMWyVmhzQtEjaT15wombyXcPdd6ug3YDOPihAVBKjm9vQf7PRIG9wBJpk8iIazmAmqw0qp215Bit6%2bVHpuEnfAvO9PDrJMEYYkOkhp50Z28QDNg2EX3C71D9jNqHkffmmNRDg3ZPLQ5OffHqAp5I8OxxRDT5smb6HxtLfJSu%2b3E4kSHskxQ8LCYAX41xse6vDflcm9a3MFcW5W1b4CfqV5Cb5HQrrj5L1AkLMb4DDu4js8FlnAuX6Mm1ykacVEzhBmnL%2fS0p4k2lyTSDm3rjdgryHUtJWjxvQRUpZ4ilemvrkk3JjgW6N2jg7iyz1nSYvvMq9zddZYuY4ot04tNT7K%2f1TGJVoUi55hvskgySjBJR%2bi9%2b%2bNwVpY27PN9D%2bt3HJV7eygc9tfmGl42JnJnn4fTa1DuNVxY679n%2foNuUWlZZ50Lxn9mvIa%2fiN4COmgh26wwi5fP%2bF3Xbl%2bCtGw8Vv8BP90XIA1L2g7v647J7FZIGJ1IO9cd7Eo0A4ourxd5ECTRl%2b7omlWqWgU2q8tZPtf9Yfhi7DWr7d%2f57mVjTYSx4RegwivOYZLlX2zq90EalrfbXFGmd%2flmeDVnDJDtWvKeyItiLWZtHO%2baL1SRvm520BuBX6OqLrI2LjpQMlvM14WB4Xq1m%2bTS%2fqzBtHbdSbqRRFeGrf%2fwSmY1rAx0C%2f5Ai%2bBqluPvuMmehgDZvGOcoZBRPpvDQCab0YOh5BrL9oBhnnvPcZtAMLIY3tM0oyC97wdm4%2flDXd5pEfWFQHgzA0vePDdltBHO80UGGlLzRSMGMu%2fk8dU3p7gzyjszsSAHff2%2blFmgeA8G3ktOoZxibq2SBTh6rzziLBDm3xnH2ffXucTvAUIZMbc8ZoKar2w7ajjdqxCY%2b5rO4Cg4Abl05WcakIg%2b5Z7tTIEkHVs0aWOiXST4j3ZGImCI%2bHHMqbc%2fpm%2baDuqPzk34GSxrAVz3jBqSKWfQ3ORPmipuTkTX8t4lkABZ0Rh1cIOFQFkDc079%2b%2f%2fM1VZCs08YtxWgOjBQaaBm8XV%2bpqFItUfbtiQU%2fh%2fqm1k%2bMmjCu1yTPjOEn3r1rfmpbj3MB94Nenif5JHHEr3S7WcakhJPL1bNLejOwEMcwe1PAIQNACe51lkUKanqi3pCqb31I1Wagld%2bIfbkQv5GxpgFZGWDucLQVQ0PhqmQdI3bRFWhtqQ4IbxQBaIVzJEAAAABAS4NE4KudpNu3IQ8jGWwoleSDucPUHP0q%2fPwq4bGxHqgDl7iaKF5RbtlBqIsagnEYn64FlOeXEZU%2fRB5N5Sf2&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c=" MD5: 75B21D04C69128A7230A0998086B61AA)

ScreenConnect.WindowsClient.exe (PID: 7452 cmdline: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "468e3f16-c21b-497b-9a8f-5415321592bd" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

ScreenConnect.WindowsClient.exe (PID: 3744 cmdline: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "77455a31-8f8b-4c3d-95dc-87ea0380a8a7" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Downloads\Unconfirmed 89551.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 89551.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d81.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSI8FB3.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 89551.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF91089BB5242F6CFB.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFC6A32B46AE054BD9.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d81.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d86.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d95.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSI8FB3.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSIF4EA.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 89551.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DF91089BB5242F6CFB.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\inprogressinstallinfo.ipi	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\~DFC6A32B46AE054BD9.TMP	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d81.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d86.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Config.Msi\518d95.rbs	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSI8FB3.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Installer\MSIF4EA.tmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 89551.crdownload	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 26 entries

Memory Dumps

Source	Rule	Description	Author
00000009.00000000.1887949366.00000000008B6000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000011.00000000.1936530876.0000000000402000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000009.00000002.1923292406.0000000005890000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000013.00000000.2047645794.0000000000B26000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000012.00000002.1968684628.0000000002711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000010.00000002.2216037109.000000000576F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000018.00000000.2189085990.0000000000F42000.00000002.00000001.01000000.00000010.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000010.00000002.2216037109.000000000573E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000010.00000002.2175170467.00000000014E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000013.00000002.2101548762.0000000004590000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000011.00000002.2106866565.00000000028EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000019.00000002.2246847004.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000018.00000002.2545329341.0000000003271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c=", ProcessId: 1088, ProcessName: ScreenConnect.ClientService.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (1f3845d5d6df5ded) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 4396, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-F226-FCD43F2B8D28}\(Default)

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T15:48:56.224351+0100	2019714	2	Potentially Bad Traffic	192.168.2.16	49714	173.221.5.248	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49971 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe	Registry value created: NULL Service
Source: C:\Windows\System32\msiexec.exe	Registry value created: NULL Service

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.16:49714 -> 173.221.5.248:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: global traffic	DNS traffic detected: DNS query: support.kraftcpas.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: kftit2.kraftcpas.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814

Source: unknown	HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49971 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\518d80.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{0342A67D-0053-DFEE-0A08-DF71BC234833}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8FB3.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8FD3.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI91C8.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\518d82.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\518d82.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{0342A67D-0053-DFEE-0A08-DF71BC234833}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{0342A67D-0053-DFEE-0A08-DF71BC234833}\DefaultIcon
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{0342A67D-0053-DFEE-0A08-DF71BC234833}.SchedServiceConfig.rmi
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (1f3845d5d6df5ded)
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (1f3845d5d6df5ded)\d0u5oeho.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (1f3845d5d6df5ded)\d0u5oeho.newcfg
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\518d83.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC906.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA5A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9FF4A03F-5075-457D-F12F-8D275EB8C7A4}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF4EA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF4FB.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF692.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\518d96.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\518d96.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9FF4A03F-5075-457D-F12F-8D275EB8C7A4}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9FF4A03F-5075-457D-F12F-8D275EB8C7A4}\DefaultIcon
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	File created: C:\Windows\SystemTemp\ScreenConnect
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	File created: C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	File created: C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\1f3845d5d6df5ded
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	File created: C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\1f3845d5d6df5ded\ScreenConnect.ClientSetup.msi
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{9FF4A03F-5075-457D-F12F-8D275EB8C7A4}.SchedServiceConfig.rmi
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.InstallerActions.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Core.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Windows.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.Cab.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (1f3845d5d6df5ded)\yjawcwqp.tmp
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (1f3845d5d6df5ded)\yjawcwqp.newcfg

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8FD3.tmp

Source: unknown

Process created: Commandline size = 2587

Source: classification engine

Classification label: mal76.evad.win@52/67@6/62

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\83553e81-30ed-435c-95b0-17ff3998f853.tmp

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Downloads\sc.exe

File created: C:\Users\user\AppData\Local\Temp\ScreenConnect

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Downloads\sc.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Downloads\sc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI87E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5343296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://support.kraftcpas.com/sc.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4092 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\sc.exe "C:\Users\user\Downloads\sc.exe"
Source: C:\Users\user\Downloads\sc.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\1f3845d5d6df5ded\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4092 --field-trial-handle=1988,i,6287229998002529323,6946941583868105719,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\sc.exe "C:\Users\user\Downloads\sc.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 61F318B17FAAF4499342BE750C3161F6 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI87E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5343296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4A824D98542748AC85E9A056CE1B5C93
Source: C:\Users\user\Downloads\sc.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\1f3845d5d6df5ded\setup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 76571A3C8D810D70665DBE199B3E4E4C E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "c4ec8d85-e3dc-4c97-8588-e3159350bf27" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "8efc418e-e48b-4494-8e58-8dbafeec5d32" "System"
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe "C:\Windows\TEMP\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe"
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\1f3845d5d6df5ded\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4A824D98542748AC85E9A056CE1B5C93
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 76571A3C8D810D70665DBE199B3E4E4C E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C205AAD155A7D2F3AEB53A3BCBEA8A19 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC906.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5359968 12 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI87E3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5343296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "c4ec8d85-e3dc-4c97-8588-e3159350bf27" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "8efc418e-e48b-4494-8e58-8dbafeec5d32" "System"
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=BgIAAACkAABSU0ExAAgAAAEAAQAdxBFc7kDjCF00RBf%2fnSmccUZ40PT%2fMPVLE8e7zBL9V%2fmsKIm67oy%2ft8Av3PeBa%2b8a4w2PzvaXpb8fUdIvHdrHMQj8645KXLUFx%2ffToi9RswLjivimR9oXBd8K8lAMpLEtqn4rtdn12OsHpoZ%2bUSeLyNqD%2bqzSjLZSSfRvwn0eGxTHpJBQbYnaTunIAHaXxxs45cIM2uEFe1hBedCK4hKbtCT6b%2fFVUG6xOh%2fC9OIRO6MqDWDNGF9jhjk6QspOAE4NxGP4dTHd1eXtvxUPJZFunm%2fU5nTbtrWNK32xE9of98%2fbTuFLGIMNhuyZFVio0CLwAIk5NVo%2bLMP%2f9jnQHIWl&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA6hOeZzRi30awChR5w%2b4wgAAAAAACAAAAAAAQZgAAAAEAACAAAAC3Q5YVtXedXRBx4wJROHFnCdsQsEf7XIe0wl0WnFCByAAAAAAOgAAAAAIAACAAAAAw%2br0ZRKwqygT3OCXreryD2ZZRbTaFkwLZtWb4ezq7%2fKAEAADENwQEyG29MsXa91sVvk6mp7ykaecxtdAgjpzT0zvytZaIQAdGPWej4263JKxpUCs3ouCqW6eF8RLhvaINhyStlfuOLjpxP6g3ONrSW0tmbnGwS8BWoQyfKKK7MOnnLKws51U5RVCxyEWcRalMZS0CYNFAq9Ol6hY6ZeN5gyIMcwWmUnGT9X0ZFRLXLq5n%2brTfXhE6jmQSU%2bwR6HgzMtTVUU5s%2ffGkoL29aMaxLF05PeSim2rAv26RLKBMT2vOK9BxExrqMb%2fHOfIU09WaslOMmafg4QuA%2ficLQHSjdJygwGIeW59S%2bEDVKtZ2cznWSkO6wVzjjWppR3HQpGssQh7WLVaWIY4xvdOOF93YSklNVxekvjcwLNotNuAQO3hbUMWyVmhzQtEjaT15wombyXcPdd6ug3YDOPihAVBKjm9vQf7PRIG9wBJpk8iIazmAmqw0qp215Bit6%2bVHpuEnfAvO9PDrJMEYYkOkhp50Z28QDNg2EX3C71D9jNqHkffmmNRDg3ZPLQ5OffHqAp5I8OxxRDT5smb6HxtLfJSu%2b3E4kSHskxQ8LCYAX41xse6vDflcm9a3MFcW5W1b4CfqV5Cb5HQrrj5L1AkLMb4DDu4js8FlnAuX6Mm1ykacVEzhBmnL%2fS0p4k2lyTSDm3rjdgryHUtJWjxvQRUpZ4ilemvrkk3JjgW6N2jg7iyz1nSYvvMq9zddZYuY4ot04tNT7K%2f1TGJVoUi55hvskgySjBJR%2bi9%2b%2bNwVpY27PN9D%2bt3HJV7eygc9tfmGl42JnJnn4fTa1DuNVxY679n%2foNuUWlZZ50Lxn9mvIa%2fiN4COmgh26wwi5fP%2bF3Xbl%2bCtGw8Vv8BP90XIA1L2g7v647J7FZIGJ1IO9cd7Eo0A4ourxd5ECTRl%2b7omlWqWgU2q8tZPtf9Yfhi7DWr7d%2f57mVjTYSx4RegwivOYZLlX2zq90EalrfbXFGmd%2flmeDVnDJDtWvKeyItiLWZtHO%2baL1SRvm520BuBX6OqLrI2LjpQMlvM14WB4Xq1m%2bTS%2fqzBtHbdSbqRRFeGrf%2fwSmY1rAx0C%2f5Ai%2bBqluPvuMmehgDZvGOcoZBRPpvDQCab0YOh5BrL9oBhnnvPcZtAMLIY3tM0oyC97wdm4%2flDXd5pEfWFQHgzA0vePDdltBHO80UGGlLzRSMGMu%2fk8dU3p7gzyjszsSAHff2%2blFmgeA8G3ktOoZxibq2SBTh6rzziLBDm3xnH2ffXucTvAUIZMbc8ZoKar2w7ajjdqxCY%2b5rO4Cg4Abl05WcakIg%2b5Z7tTIEkHVs0aWOiXST4j3ZGImCI%2bHHMqbc%2fpm%2baDuqPzk34GSxrAVz3jBqSKWfQ3ORPmipuTkTX8t4lkABZ0Rh1cIOFQFkDc079%2b%2f%2fM1VZCs08YtxWgOjBQaaBm8XV%2bpqFItUfbtiQU%2fh%2fqm1k%2bMmjCu1yTPjOEn3r1rfmpbj3MB94Nenif5JHHEr3S7WcakhJPL1bNLejOwEMcwe1PAIQNACe51lkUKanqi3pCqb31I1Wagld%2bIfbkQv5GxpgFZGWDucLQVQ0PhqmQdI3bRFWhtqQ4IbxQBaIVzJEAAAABAS4NE4KudpNu3IQ8jGWwoleSDucPUHP0q%2fPwq4bGxHqgDl7iaKF5RbtlBqIsagnEYn64FlOeXEZU%2fRB5N5Sf2&c=OutsideKraft&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "468e3f16-c21b-497b-9a8f-5415321592bd" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "77455a31-8f8b-4c3d-95dc-87ea0380a8a7" "System"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C205AAD155A7D2F3AEB53A3BCBEA8A19 E Global\MSI0000
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\1f3845d5d6df5ded\ScreenConnect.ClientSetup.msi"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC906.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5359968 12 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "468e3f16-c21b-497b-9a8f-5415321592bd" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe" "RunRole" "77455a31-8f8b-4c3d-95dc-87ea0380a8a7" "System"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Downloads\sc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\sc.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: mscoree.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: amsi.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: version.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: msasn1.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: gpapi.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: propsys.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: edputil.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: urlmon.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: appresolver.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: slc.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: sppc.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Downloads\sc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Downloads\sc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Persistence and Installation Behavior

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-f226-fcd43f2b8d28}\inprocserver32
Source: c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-f226-fcd43f2b8d28}\inprocserver32
Source: c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-f226-fcd43f2b8d28}\inprocserver32
Source: c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-f226-fcd43f2b8d28}\inprocserver32
Source: c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.windowscredentialprovider.dll	COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-f226-fcd43f2b8d28}\inprocserver32

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI87E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC906.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 89551.crdownload	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8FD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\83553e81-30ed-435c-95b0-17ff3998f853.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\2b646320-4314-4613-9cbb-d88810290148.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC906.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8FD3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	File created: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Jump to dropped file

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (1f3845d5d6df5ded)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Process created: C:\Users\user\Downloads\sc.exe "C:\Users\user\Downloads\sc.exe"

Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\sc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 11A0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 2E20000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 5C90000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 6C90000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 6DC0000 memory reserve \| memory write watch
Source: C:\Users\user\Downloads\sc.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory allocated: 2040000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory allocated: 2270000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory allocated: 2080000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A7F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Memory allocated: 800000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A710000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 1140000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 1D50000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 1590000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 53E0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 4AC0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 63E0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 73E0000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 7660000 memory reserve \| memory write watch
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Memory allocated: 8660000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory allocated: 1CD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory allocated: 1D30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory allocated: 3D30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Memory allocated: 31B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Memory allocated: 1B270000 memory reserve \| memory write watch

Source: C:\Users\user\Downloads\sc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI87E3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC906.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsCredentialProvider.dll
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8FD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsBackstageShell.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file

Source: C:\Users\user\Downloads\sc.exe TID: 8152	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe TID: 4512	Thread sleep count: 41 > 30
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe TID: 6056	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe TID: 6952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe TID: 756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe TID: 2420	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Downloads\sc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Downloads\sc.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process token adjusted: Debug
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Source: C:\Users\user\Downloads\sc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe

Memory allocated: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe base: 580000 protect: page read and write

Writes to foreign memory regions

Source: C:\Windows\System32\msiexec.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 27F0000
Source: C:\Windows\System32\msiexec.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 29042D8
Source: C:\Windows\System32\msiexec.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 29051E8
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory written: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe base: 580000
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory written: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe base: 75F2D8
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Memory written: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe base: 7601E8

Source: C:\Users\user\Downloads\sc.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\1f3845d5d6df5ded\setup.msi"
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\1f3845d5d6df5ded\ScreenConnect.ClientSetup.msi"

Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.clientservice.exe" "?e=access&y=guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=bgiaaackaabsu0exaagaaaeaaqadxbfc7kdjcf00rbf%2fnsmccuz40pt%2fmpvle8e7zbl9v%2fmskim67oy%2ft8av3peba%2b8a4w2pzvaxpb8fudivhdrhmqj8645kxlufx%2fftoi9rswljivimr9oxbd8k8lampletqn4rtdn12oshpoz%2buselynqd%2bqzsjlzssfrvwn0egxthpjbqbynatuniahaxxxs45cim2uefe1hbedck4hkbtct6b%2ffvug6xoh%2fc9oiro6mqdwdngf9jhjk6qspoae4nxgp4dthd1extvxupjzfunm%2fu5ntbtrwnk32xe9of98%2fbtuflgimnhuyzfvio0clwaik5nvo%2blmp%2f9jnqhiwl&c=outsidekraft&c=&c=&c=&c=&c=&c=&c="
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (1f3845d5d6df5ded)\screenconnect.clientservice.exe" "?e=access&y=guest&h=kftit2.kraftcpas.com&p=8041&s=835eb257-db34-4ce9-8568-a0d17d9f150a&k=bgiaaackaabsu0exaagaaaeaaqadxbfc7kdjcf00rbf%2fnsmccuz40pt%2fmpvle8e7zbl9v%2fmskim67oy%2ft8av3peba%2b8a4w2pzvaxpb8fudivhdrhmqj8645kxlufx%2fftoi9rswljivimr9oxbd8k8lampletqn4rtdn12oshpoz%2buselynqd%2bqzsjlzssfrvwn0egxthpjbqbynatuniahaxxxs45cim2uefe1hbedck4hkbtct6b%2ffvug6xoh%2fc9oiro6mqdwdngf9jhjk6qspoae4nxgp4dthd1extvxupjzfunm%2fu5ntbtrwnk32xe9of98%2fbtuflgimnhuyzfvio0clwaik5nvo%2blmp%2f9jnqhiwl&v=aqaaancmnd8bfderjhoawe%2fcl%2bsbaaaa6hoezzri30awchr5w%2b4wgaaaaaacaaaaaaaqzgaaaaeaacaaaac3q5yvtxedxrbx4wjrohfncdsqsef7xie0wl0wnfcbyaaaaaaogaaaaaiaacaaaaaw%2br0zrkwqygt3ocxreryd2zzrbtafkwlztwb4ezq7%2fkaeaadenwqeyg29msxa91svvk6mp7ykaecxtdagjpzt0zvytzaiqadgpwej4263jkxpucs3oucqw6ef8rlhvainhystlfuoljpxp6g3onrsw0tmbngws8bwoqyfkkk7monnlkws51u5rvcxyewcralmzs0cynfaq9ol6hy6zen5gyimcwwmungt9x0zfrlxlq5n%2brtfxhe6jmqsu%2bwr6hgzmttvuu5s%2ffgkol29amaxlf05pesim2rav26rlkbmt2vok9bxexrqmb%2fhofiu09waslommafg4qua%2ficlqhsjdjygwgiew59s%2bedvktz2cznwsko6wvzjjwppr3hqpgssqh7wlvawiy4xvdoof93ysklnvxekvjcwlnotnuaqo3hbumwyvmhzqtejat15wombyxcpdd6ug3ydopihavbkjm9vqf7prig9wbjpk8iiazmamqw0qp215bit6%2bvhpuenfavo9pdrjmeyykokhp50z28qdng2ex3c71d9jnqhkffmmnrdg3zplq5offhqap5i8oxxrdt5smb6hxtlfjsu%2b3e4kshskxq8lcyax41xse6vdflcm9a3mfcw5w1b4cfqv5cb5hqrrj5l1aklmb4ddu4js8flnaux6mm1ykacvezhbmnl%2fs0p4k2lytsdm3rjdgryhutjwjxvqrupz4ilemvrkk3jjgw6n2jg7iyz1nsyvvmq9zddzyuy4ot04tnt7k%2f1tgjvoui55hvskgysjbjr%2bi9%2b%2bnwvpy27pn9d%2bt3hjv7eygc9tfmgl42jnjnn4fta1dunvxy679n%2fonuuwlzz50lxn9mvia%2fin4comgh26wwi5fp%2bf3xbl%2bctgw8vv8bp90xia1l2g7v647j7fzigj1io9cd7eo0a4ourxd5ectrl%2b7omlwqwgu2q8tzptf9yfhi7dwr7d%2f57mvjtysx4regwivoyzllx2zq90ealrfbxfgmd%2flmedvndjdtwvkeyitilwztho%2bal1srvm520bubx6oqlri2ljpqmlvm14wb4xq1m%2bts%2fqzbthbdsbqrrfegrf%2fwsmy1rax0c%2f5ai%2bbqlupvummehgdzvgocozbrppvdqcab0yoh5brl9obhnnvpcztamliy3tm0oyc97wdm4%2fldxd5pefwfqhgza0vepddltbho80uggllzrsmgmu%2fk8du3p7gzyjszssahff2%2blfmgea8g3ktoozxibq2sbth6rzzilbdm3xnh2ffxuctvauizmbc8zokar2w7ajjdqxcy%2b5ro4cg4abl05wcakig%2b5z7ttiekhvs0awoixst4j3zgimci%2bhhmqbc%2fpm%2baduqpzk34gsxravz3jbqskwfq3orpmiputktx8t4lkabz0rh1ciofqfkdc079%2b%2f%2fm1vzcs08ytxwgojbqaabm8xv%2bpqfitufbtiqu%2fh%2fqm1k%2bmmjcu1ytpjoen3r1rfmpbj3mb94nenif5jhher3s7wcakhjpl1bnlejowemcwe1paiqnace51lkukanqi3pcqb31i1wagld%2bifbkqv5gxpgfzgwduclqvq0phqmqdi3brfwhtqq4ibxqbaivzjeaaaabas4ne4kudpnu3iq8jgwwolesducpuhp0q%2fpwq4bgxhqgdl7iakf5rbtlbqisagneyn64floexezu%2frb5n5sf2&c=outsidekraft&c=&c=&c=&c=&c=&c=&c="

Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI87E3.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI87E3.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI87E3.tmp-\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Core.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Core.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\Downloads\sc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\Windows\System32\msiexec.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ScreenConnect Client (1f3845d5d6df5ded) NULL

Modifies security policies related information

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Source: Yara match	File source: C:\Users\user\Downloads\Unconfirmed 89551.crdownload, type: DROPPED
Source: Yara match	File source: 00000009.00000000.1887949366.00000000008B6000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1936530876.0000000000402000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1923292406.0000000005890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2047645794.0000000000B26000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1968684628.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Config.Msi\518d81.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI8FB3.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\ScreenConnect\23.8.5.8707\ScreenConnect.ClientSetup.exe, type: DROPPED
Source: Yara match	File source: 00000010.00000002.2216037109.000000000576F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2189085990.0000000000F42000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2216037109.000000000573E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2175170467.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2101548762.0000000004590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2106866565.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2246847004.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\~DF91089BB5242F6CFB.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFC6A32B46AE054BD9.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\518d86.rbs, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\518d95.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIF4EA.tmp, type: DROPPED
Source: Yara match	File source: 00000018.00000002.2545329341.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	31 Windows Management Instrumentation	1 Component Object Model Hijacking	1 Component Object Model Hijacking	22 Masquerading	OS Credential Dumping	2 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Inhibit System Recovery
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	21 Windows Service	21 Windows Service	21 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Registry Run Keys / Startup Folder	211 Process Injection	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	211 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	44 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
https://support.kraftcpas.com/sc.exe	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSI87E3.tmp	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe	4%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Windows\Installer\MSI8FD3.tmp	0%	ReversingLabs
518d87.rbf (copy)	0%	ReversingLabs
518d88.rbf (copy)	0%	ReversingLabs
518d89.rbf (copy)	0%	ReversingLabs
518d8a.rbf (copy)	0%	ReversingLabs
518d8b.rbf (copy)	0%	ReversingLabs
518d8c.rbf (copy)	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Windows\Installer\MSIC906.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Windows\Installer\MSIC906.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Windows\Installer\MSIC906.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
support.kraftcpas.com	173.221.5.248	true	false	unknown
www.google.com	142.250.184.228	true	false	high
kftit2.kraftcpas.com	216.40.10.115	true	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
173.221.5.248	support.kraftcpas.com	United States	7029	WINDSTREAMUS	false
172.217.18.3	unknown	United States	15169	GOOGLEUS	false
142.250.184.228	www.google.com	United States	15169	GOOGLEUS	false
216.40.10.115	kftit2.kraftcpas.com	United States	53828	NITELUS	true
142.250.185.227	unknown	United States	15169	GOOGLEUS	false
142.250.185.238	unknown	United States	15169	GOOGLEUS	false
66.102.1.84	unknown	United States	15169	GOOGLEUS	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.24
192.168.2.16

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1611144
Start date and time:	2025-02-10 15:48:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://support.kraftcpas.com/sc.exe
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.win@52/67@6/62

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 142.250.185.227, 216.58.206.46, 66.102.1.84, 142.250.186.110, 142.250.185.238, 142.250.186.142
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, redirector.gvt1.com, e16604.g.akamaiedge.net, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: https://support.kraftcpas.com/sc.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	5DB908C12D6E768081BCED0E165E36F8
SHA1:	F2D3160F15CFD0989091249A61132A369E44DEA4
SHA-256:	FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
SHA-512:	8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....i...s....%.,...(...+vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1039990
Entropy (8bit):	7.782583860577445
Encrypted:	false
SSDEEP:
MD5:	5C1B123DF7123061CA1F1CDB31CE36CB
SHA1:	1421DB694E8C2A3AF066D6317282157D2C05E3B6
SHA-256:	D40AE98A7D18C2C35C0355984340B0517BE47257C000931093A4FC3CCC90C226
SHA-512:	866979A543AC413DBEADCE82E9AB35FFE5F4D0F69FC61EF2C4F8761030A126ABFAB4DB053669DF7E7A602E3753842A7315C17881D2A333D0ABEA51D8EF3041E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	5.069688959232011
Encrypted:	false
SSDEEP:
MD5:	EB99EE012EB63C162EEBC1DF3A15990B
SHA1:	D48FD3B3B942C754E3588D91920670C087FCE7E9
SHA-256:	C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
SHA-512:	455EC01953EC27186FBEAD17C503B7F952474A80B41E986494697497ECEAB130AD81A5561373D6762B71EEC473D8E37CDE742F557E50233F7EB0E8FB8B0BE4AD
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<startup useLegacyV2RuntimeActivationPolicy="true">....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>..</configuration>

Process:	C:\Users\user\Downloads\sc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {0342A67D-0053-DFEE-0A08-DF71BC234833}, Create Time/Date: Fri Nov 3 13:57:12 2023, Last Saved Time/Date: Fri Nov 3 13:57:12 2023, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	9158656
Entropy (8bit):	7.959082464208113
Encrypted:	false
SSDEEP:
MD5:	BA8D0296FD448390415A2AE6B14D1621
SHA1:	89DB42921A68DFA5C661018E14EE4B332D017FEE
SHA-256:	7329866BD2E50C6C4A054A5943AED7312C28893BEE4CEF7B57E63E85A9CA0E2C
SHA-512:	CB038B9A300F1A3639DBDD261D5D546C93A9540476CAA11D92A3780D43B21DB45466804BAD82757AB0E22D7BDBEA9AAD29E2146671D8920081CA133A03284F75
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................+.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Feb 10 13:48:55 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9942654200148566
Encrypted:	false
SSDEEP:
MD5:	8F6D4308E796AC13078EA24B19B84BFE
SHA1:	3CE3053086034E41E7A41F08B300C0DFCAF61AF1
SHA-256:	9B012FBF4C582C5CF90391E45EA38E2E24BECE6C50295F5C818969AB9877A080
SHA-512:	36F8CA842FAE3C835E920AE5A5905A1DBF5540AF370AEAAAF5B232FDFE091012993CFA38E90F458598BD4DFAC5BA1D73105E00A346E1AA342CD2895FDBD56424
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.........{..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IJZ.v....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VJZ.v....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VJZ.v....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VJZ.v..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VJZ.v...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............5.v.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system. References to various COM objects are stored in the Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://support.kraftcpas.com/sc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

518d87.rbf (copy)

518d88.rbf (copy)

518d89.rbf (copy)

518d8a.rbf (copy)

518d8b.rbf (copy)

518d8c.rbf (copy)

518d8f.rbf (copy)

518d91.rbf (copy)

518d92.rbf (copy)

518d93.rbf (copy)

518d94.rbf (copy)

C:\Config.Msi\518d81.rbs

C:\Config.Msi\518d86.rbs

C:\Config.Msi\518d95.rbs

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\Client.en-US.resources

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\Client.resources

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.Client.dll

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.dll

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.ClientService.exe

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsAuthenticationPackage.dll

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsBackstageShell.exe

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsClient.exe.config

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsCredentialProvider.dll

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\ScreenConnect.WindowsFileManager.exe

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\app.config

C:\Program Files (x86)\ScreenConnect Client (1f3845d5d6df5ded)\system.config

Windows Analysis Report
https://support.kraftcpas.com/sc.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre