Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6IqUjK9Koj.exe

Overview

General Information

Sample name:6IqUjK9Koj.exe
renamed because original name is a hash value
Original sample name:2ca3ef2cdad572bcbf31b55fa293db2214df08d2bf0b266f0725e362cc26d3c6.exe
Analysis ID:1567467
MD5:3dba9333737442421a8badbacb64ed28
SHA1:a626ea96e79c17452389f0adde9cdd486a441a3a
SHA256:2ca3ef2cdad572bcbf31b55fa293db2214df08d2bf0b266f0725e362cc26d3c6
Tags:ConnectWiseexescreen-connectprotocol-essigneduser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score:46
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:32
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • 6IqUjK9Koj.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\6IqUjK9Koj.exe" MD5: 3DBA9333737442421A8BADBACB64ED28)
    • msiexec.exe (PID: 7420 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 7460 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7504 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 546BD2874B30B156F9F5E352A2E90D60 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7552 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6871750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7636 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 61C39474868EF693AA9D13DED834CBE3 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • msiexec.exe (PID: 7688 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D6AAC5942B62E87B45915706D7C6883C E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • ScreenConnect.ClientService.exe (PID: 7724 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=1415700e-0a5c-4e5f-b644-5b752a637a1e&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=GOLDEN-TEAM-006" MD5: 75B21D04C69128A7230A0998086B61AA)
    • ScreenConnect.WindowsClient.exe (PID: 7792 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "51cd66e2-8e8e-4db9-96dd-23cdad723925" "User" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
    • ScreenConnect.WindowsClient.exe (PID: 8008 cmdline: "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "29ee37d5-5f9a-4773-a194-ef3bf27be104" "System" MD5: 1778204A8C3BC2B8E5E4194EDBAF7135)
  • svchost.exe (PID: 7936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6IqUjK9Koj.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\Windows\Temp\~DF8520E176E00F1D33.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\Windows\Temp\~DFA7F10B559F8603C4.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\Windows\Temp\~DF830A435A15E4EDE9.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            C:\Windows\Temp\~DF1A9D54364A7DB45B.TMPJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Click to see the 5 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.2100983220.0000000005480000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                  00000009.00000002.3950343300.0000000002641000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                    00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                      0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                        Click to see the 4 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.2.6IqUjK9Koj.exe.5480000.8.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                          9.0.ScreenConnect.WindowsClient.exe.3a0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                            9.2.ScreenConnect.WindowsClient.exe.26bfa10.0.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                              0.2.6IqUjK9Koj.exe.5480000.8.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                0.0.6IqUjK9Koj.exe.185db0.2.raw.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                                  Click to see the 4 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: ScreenConnect Client (a532d472f1ff1d4e) Credential Provider, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7460, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6FF59A85-BC37-4CD4-66E1-82EBBD1A2A17}\(Default)
                                  Sigma detected: Windows Processes Suspicious Parent Directory
                                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7936, ProcessName: svchost.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Multi AV Scanner detection for submitted file
                                  Source: 6IqUjK9Koj.exeReversingLabs: Detection: 26%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.9% probability
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_055D06C4 CryptUnprotectData,8_2_055D06C4
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_055D2E69 CryptUnprotectData,8_2_055D2E69
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_055D0690 CryptUnprotectData,8_2_055D0690
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeEXE: msiexec.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeEXE: msiexec.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: 6IqUjK9Koj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: 6IqUjK9Koj.exeStatic PE information: certificate valid
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: 6IqUjK9Koj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3962664365.0000000002327000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: 6IqUjK9Koj.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3950343300.0000000002641000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198861208.0000000003030000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199231112.00000000030B2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2134167848.0000000000C6D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: 6IqUjK9Koj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2100970253.0000000004940000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: 6IqUjK9Koj.exe, MSIE7F5.tmp.3.dr, 68e15f.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 68e15d.msi.3.dr, 68e15e.rbs.3.dr, MSIEC0D.tmp.3.dr, MSIE815.tmp.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: 6IqUjK9Koj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3962664365.0000000002327000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: 6IqUjK9Koj.exe, MSIDA0A.tmp.2.dr, 68e15f.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 68e15d.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198981314.0000000003072000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198981314.0000000003072000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3962664365.0000000002327000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: 6IqUjK9Koj.exe
                                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

                                  Networking

                                  barindex
                                  Enables network access during safeboot for specific services
                                  Source: C:\Windows\System32\msiexec.exeRegistry value created: NULL ServiceJump to behavior
                                  Source: global trafficTCP traffic: 192.168.2.5:49705 -> 38.69.12.167:8041
                                  Source: Joe Sandbox ViewIP Address: 38.69.12.167 38.69.12.167
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: sc.connectprotocol.es
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: svchost.exe, 0000000A.00000002.3817515728.000001BF1A800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                                  Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                                  Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2087150563.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3951793612.0000000001552000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: rundll32.exe, 00000005.00000003.2092702422.0000000004943000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                  Source: rundll32.exe, 00000005.00000003.2092702422.0000000004943000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drString found in binary or memory: http://wixtoolset.org/news/
                                  Source: rundll32.exe, 00000005.00000003.2092702422.0000000004943000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drString found in binary or memory: http://wixtoolset.org/releases/
                                  Source: 6IqUjK9Koj.exe, ScreenConnect.WindowsCredentialProvider.dll.3.dr, ScreenConnect.ClientService.exe.3.dr, ScreenConnect.WindowsFileManager.exe.3.dr, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr, ScreenConnect.WindowsClient.exe.3.dr, ScreenConnect.WindowsBackstageShell.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: ScreenConnect.WindowsCredentialProvider.dll.3.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                                  Source: ScreenConnect.Core.dll.3.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                                  Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                                  Source: svchost.exe, 0000000A.00000003.2172362185.000001BF1A5A0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                  Source: qmgr.db.10.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Reads the Security eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                                  Reads the System eventlog
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnectJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                                  System Summary

                                  barindex
                                  Detected potential unwanted application
                                  Source: 6IqUjK9Koj.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_050F18A0 CreateProcessAsUserW,8_2_050F18A0
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68e15d.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{0522F16A-6873-5B41-45A0-A61F7CB3B407}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE7F5.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE815.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEC0D.tmpJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68e15f.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\68e15f.msiJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{0522F16A-6873-5B41-45A0-A61F7CB3B407}Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{0522F16A-6873-5B41-45A0-A61F7CB3B407}\DefaultIconJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{0522F16A-6873-5B41-45A0-A61F7CB3B407}.SchedServiceConfig.rmiJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\fktunrnm.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\fktunrnm.newcfgJump to behavior
                                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE815.tmpJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00F9D5888_2_00F9D588
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A49C008_2_04A49C00
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A4D4708_2_04A4D470
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A47E108_2_04A47E10
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A49C008_2_04A49C00
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A4D4708_2_04A4D470
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A610CF9_2_00007FF848A610CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A610D79_2_00007FF848A610D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D769919_2_00007FF848D76991
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D8422D9_2_00007FF848D8422D
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D78EF89_2_00007FF848D78EF8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D7CF0A9_2_00007FF848D7CF0A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D7B5919_2_00007FF848D7B591
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D78F089_2_00007FF848D78F08
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D7F6FA9_2_00007FF848D7F6FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848A710CF11_2_00007FF848A710CF
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848A710D711_2_00007FF848A710D7
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848D85DF011_2_00007FF848D85DF0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848D85E9111_2_00007FF848D85E91
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848D8E21611_2_00007FF848D8E216
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848D8EFC211_2_00007FF848D8EFC2
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848D82BB011_2_00007FF848D82BB0
                                  Source: 6IqUjK9Koj.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: 6IqUjK9Koj.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: 6IqUjK9Koj.exeStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: 6IqUjK9Koj.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: 6IqUjK9Koj.exeStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000005FF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000005FF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2095839327.0000000005150000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2092295374.0000000003D2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2108450173.0000000007A30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2098270370.0000000005280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2098270370.0000000005280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2098270370.0000000005280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelibwebp.dllB vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2100983220.000000000563C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2100983220.000000000563C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2100983220.000000000563C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2100983220.000000000563C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2095982178.00000000051F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2086452142.00000000029D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2103630368.0000000006658000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2103630368.0000000006658000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSfxCA.dllL vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2103630368.0000000006658000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameScreenConnect.Core.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenamelibwebp.dllB vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenamezlib.dll2 vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameScreenConnect.Windows.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameScreenConnect.WindowsInstaller.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameScreenConnect.InstallerActions.dll< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameSfxCA.dllL vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenamewixca.dll\ vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameScreenConnect.ClientInstallerRunner.exe< vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeBinary or memory string: OriginalFilenameDotNetResolver.exe4 vs 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: classification engineClassification label: mal46.evad.winEXE@18/59@1/2
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6IqUjK9Koj.exe.logJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMutant created: NULL
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeFile created: C:\Users\user\AppData\Local\Temp\ScreenConnectJump to behavior
                                  Source: 6IqUjK9Koj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: 6IqUjK9Koj.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6871750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: 6IqUjK9Koj.exeReversingLabs: Detection: 26%
                                  Source: 6IqUjK9Koj.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
                                  Source: 6IqUjK9Koj.exeString found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2)
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeFile read: C:\Users\user\Desktop\6IqUjK9Koj.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\6IqUjK9Koj.exe "C:\Users\user\Desktop\6IqUjK9Koj.exe"
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"
                                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 546BD2874B30B156F9F5E352A2E90D60 C
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6871750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 61C39474868EF693AA9D13DED834CBE3
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D6AAC5942B62E87B45915706D7C6883C E Global\MSI0000
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=1415700e-0a5c-4e5f-b644-5b752a637a1e&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=GOLDEN-TEAM-006"
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "51cd66e2-8e8e-4db9-96dd-23cdad723925" "User"
                                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "29ee37d5-5f9a-4773-a194-ef3bf27be104" "System"
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 546BD2874B30B156F9F5E352A2E90D60 CJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 61C39474868EF693AA9D13DED834CBE3Jump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D6AAC5942B62E87B45915706D7C6883C E Global\MSI0000Jump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6871750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "51cd66e2-8e8e-4db9-96dd-23cdad723925" "User"Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe "C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "29ee37d5-5f9a-4773-a194-ef3bf27be104" "System"Jump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: winsta.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dll
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dll
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: 6IqUjK9Koj.exeStatic PE information: certificate valid
                                  Source: 6IqUjK9Koj.exeStatic file information: File size 5620624 > 1048576
                                  Source: 6IqUjK9Koj.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x533200
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: 6IqUjK9Koj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: 6IqUjK9Koj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbM source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.3.dr
                                  Source: Binary string: C:\Compile\screenconnect\Product\WindowsAuthenticationPackage\bin\Release\ScreenConnect.WindowsAuthenticationPackage.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3962664365.0000000002327000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsAuthenticationPackage.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: 6IqUjK9Koj.exe, ScreenConnect.Core.dll.5.dr, ScreenConnect.Core.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3950343300.0000000002641000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198861208.0000000003030000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199231112.00000000030B2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: 6IqUjK9Koj.exe
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.2134167848.0000000000C6D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: 6IqUjK9Koj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression.Cab\Microsoft.Deployment.Compression.Cab.pdb source: rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2100970253.0000000004940000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\InstallerActions\obj\Release\net20\ScreenConnect.InstallerActions.pdb source: ScreenConnect.InstallerActions.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\obj\ship\x86\Compression\Microsoft.Deployment.Compression.pdb source: rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.dll.5.dr
                                  Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: 6IqUjK9Koj.exe, MSIE7F5.tmp.3.dr, 68e15f.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 68e15d.msi.3.dr, 68e15e.rbs.3.dr, MSIEC0D.tmp.3.dr, MSIE815.tmp.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbS] source: 6IqUjK9Koj.exe, ScreenConnect.Windows.dll.5.dr, ScreenConnect.Windows.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb source: ScreenConnect.ClientService.exe, 00000008.00000002.3962664365.0000000002327000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: 6IqUjK9Koj.exe, MSIDA0A.tmp.2.dr, 68e15f.msi.3.dr, ScreenConnect.ClientSetup.msi.0.dr, 68e15d.msi.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbu source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbi source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198981314.0000000003072000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198981314.0000000003072000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.3.dr
                                  Source: Binary string: screenconnect_windows_credential_provider.pdb' source: ScreenConnect.ClientService.exe, 00000008.00000002.3962664365.0000000002327000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2207243967.0000000013120000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsCredentialProvider.dll.3.dr
                                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: 6IqUjK9Koj.exe
                                  Source: 6IqUjK9Koj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: 6IqUjK9Koj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: 6IqUjK9Koj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: 6IqUjK9Koj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: 6IqUjK9Koj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.0.6IqUjK9Koj.exe.6078ec.4.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 0.2.6IqUjK9Koj.exe.29d0000.0.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                                  Source: 6IqUjK9Koj.exeStatic PE information: real checksum: 0x54d1c1 should be: 0x55f326
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeCode function: 0_2_011970B0 push eax; mov dword ptr [esp], ecx0_2_011970C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A4AF30 push eax; mov dword ptr [esp], ecx8_2_04A4AF31
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_04A4C360 push eax; mov dword ptr [esp], ecx8_2_04A4C361
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_055D4070 push esp; ret 8_2_055D4083
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A709D8 push ebx; retf 9_2_00007FF848A7098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A722B1 push ebx; retf 9_2_00007FF848A722FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A708CD push ebx; retf 9_2_00007FF848A7098A
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848A600BD pushad ; iretd 9_2_00007FF848A600C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D849CD push E95EE447h; ret 9_2_00007FF848D84A19
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848D84A1A push E95EE447h; ret 9_2_00007FF848D84A19
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848A822B1 push ebx; retf 11_2_00007FF848A822FA
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848A700BD pushad ; iretd 11_2_00007FF848A700C1
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeCode function: 11_2_00007FF848D85D08 push eax; retf 48D7h11_2_00007FF848D85DA1

                                  Persistence and Installation Behavior

                                  barindex
                                  Creates files in the system32 config directory
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                                  Possible COM Object hijacking
                                  Source: c:\program files (x86)\screenconnect client (a532d472f1ff1d4e)\screenconnect.windowscredentialprovider.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{6ff59a85-bc37-4cd4-66e1-82ebbd1a2a17}\inprocserver32
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEC0D.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE815.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEC0D.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE815.tmpJump to dropped file
                                  Source: ScreenConnect.ClientService.dll.3.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (a532d472f1ff1d4e)Jump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Contains functionality to hide user accounts
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2098270370.0000000005280000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: 6IqUjK9Koj.exe, 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: rundll32.exe, 00000005.00000003.2092498674.0000000004ABD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.3950343300.0000000002641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2213086122.000000001BFE2000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2198861208.0000000003030000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199231112.00000000030B2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: 6IqUjK9Koj.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.5.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.Windows.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                                  Source: ScreenConnect.ClientService.dll.3.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 4B70000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 62D0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 5A80000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 72D0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 82D0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 8560000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: 9560000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: 1320000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: A60000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1A640000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1620000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeMemory allocated: 1B110000 memory reserve | memory write watch
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEC0D.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.InstallerActions.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exeJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.Cab.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Windows.dllJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE815.tmpJump to dropped file
                                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exe TID: 7344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe TID: 7772Thread sleep count: 54 > 30Jump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 7964Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\svchost.exe TID: 7964Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe TID: 8028Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.3971063549.00000000047E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                                  Source: 6IqUjK9Koj.exe, 00000000.00000002.2085151316.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\JM
                                  Source: svchost.exe, 0000000A.00000002.3817074057.000001BF1502B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                                  Source: svchost.exe, 0000000A.00000002.3817600492.000001BF1A857000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeMemory allocated: page read and write | page guardJump to behavior

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  .NET source code references suspicious native API functions
                                  Source: 0.0.6IqUjK9Koj.exe.6078ec.4.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                                  Source: 0.2.6IqUjK9Koj.exe.5280000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                                  Source: 0.2.6IqUjK9Koj.exe.5280000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                                  Source: 0.2.6IqUjK9Koj.exe.5280000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                                  Source: 0.2.6IqUjK9Koj.exe.5280000.4.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                                  Source: 0.2.6IqUjK9Koj.exe.5280000.4.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"Jump to behavior
                                  Source: unknownProcess created: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe "c:\program files (x86)\screenconnect client (a532d472f1ff1d4e)\screenconnect.clientservice.exe" "?e=access&y=guest&h=sc.connectprotocol.es&p=8041&s=1415700e-0a5c-4e5f-b644-5b752a637a1e&k=bgiaaackaabsu0exaagaaaeaaqc1kwkbpg72shug%2fcugwqb7iuebcyny1kcdtceo3n0ry4axiph%2ffmztln0b%2bg2miuqorkgq0xsvxj7wucz%2bdiimwdt7qllgfko33osoqisfilkobrosqmoo0cyg%2fpkva7aaau%2bym8zey9okpyj7knkvh679krkgwwm5tfc%2fbhzztt1d5pfiewfvi67rlcagqxh1hudy%2bbdi6lg6r8m8lqczrbhxazj%2fuvxvugxn6zwttc7e00yjiy6fpwniox5ej%2fn2ux9gcwu%2bpspaixxjhoyehv84bhaut0rgc1re8m9puttx9udji37opbolw%2f5qq735uizmwagufhfj%2flzeryvq&t=golden-team-006"
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Progman
                                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.WindowsClient.exe.3.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.InstallerActions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exeQueries volume information: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll VolumeInformation
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_050F19C8 CreateNamedPipeW,8_2_050F19C8
                                  Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exeCode function: 8_2_00F94C67 RtlGetVersion,8_2_00F94C67
                                  Source: C:\Users\user\Desktop\6IqUjK9Koj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Modifies security policies related information
                                  Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa Authentication PackagesJump to behavior
                                  Source: Yara matchFile source: 6IqUjK9Koj.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.2.6IqUjK9Koj.exe.5480000.8.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.0.ScreenConnect.WindowsClient.exe.3a0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.ScreenConnect.WindowsClient.exe.26bfa10.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.6IqUjK9Koj.exe.5480000.8.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.6IqUjK9Koj.exe.185db0.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 11.2.ScreenConnect.WindowsClient.exe.318fa50.4.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.6IqUjK9Koj.exe.d63d4.5.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.6IqUjK9Koj.exe.15c3d4.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.6IqUjK9Koj.exe.c0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.2100983220.0000000005480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.3950343300.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: 6IqUjK9Koj.exe PID: 7324, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7552, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7792, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 8008, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF8520E176E00F1D33.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFA7F10B559F8603C4.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF830A435A15E4EDE9.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF1A9D54364A7DB45B.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DFAEC3A69C455F11CF.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Temp\~DF1D89DB85DA994D3C.TMP, type: DROPPED
                                  Source: Yara matchFile source: C:\Config.Msi\68e15e.rbs, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\Installer\MSIE7F5.tmp, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure1
                                  Valid Accounts                                  		31
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		11
                                  Disable or Modify Tools                                  		OS Credential Dumping11
                                  Peripheral Device Discovery                                  		Remote Services1
                                  Archive Collected Data                                  		2
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomains1
                                  Replication Through Removable Media                                  		1
                                  Native API                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  Obfuscated Files or Information                                  		LSASS Memory1
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Standard Port                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts12
                                  Command and Scripting Interpreter                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Component Object Model Hijacking                                  		1
                                  Software Packing                                  		Security Account Manager55
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive1
                                  Non-Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCron1
                                  Valid Accounts                                  		1
                                  Valid Accounts                                  		1
                                  DLL Side-Loading                                  		NTDS31
                                  Security Software Discovery                                  		Distributed Component Object ModelInput Capture1
                                  Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                                  Windows Service                                  		1
                                  Access Token Manipulation                                  		1
                                  DLL Search Order Hijacking                                  		LSA Secrets2
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                  Bootkit                                  		2
                                  Windows Service                                  		1
                                  File Deletion                                  		Cached Domain Credentials61
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
                                  Process Injection                                  		122
                                  Masquerading                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  Valid Accounts                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                  Access Token Manipulation                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron61
                                  Virtualization/Sandbox Evasion                                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd13
                                  Process Injection                                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                  Hidden Users                                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                  Bootkit                                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                                  Rundll32                                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567467 Sample: 6IqUjK9Koj.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 46 57 sc.connectprotocol.es 2->57 65 Multi AV Scanner detection for submitted file 2->65 67 .NET source code contains potential unpacker 2->67 69 .NET source code references suspicious native API functions 2->69 71 4 other signatures 2->71 8 msiexec.exe 94 49 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 6IqUjK9Koj.exe 6 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 45 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->45 dropped 47 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->47 dropped 49 C:\...\ScreenConnect.ClientService.exe, PE32 8->49 dropped 53 10 other files (1 malicious) 8->53 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        59 sc.connectprotocol.es 38.69.12.167, 49705, 8041 54583US United States 12->59 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 25 ScreenConnect.WindowsClient.exe 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        51 C:\Users\user\AppData\...\6IqUjK9Koj.exe.log, ASCII 15->51 dropped 81 Contains functionality to hide user accounts 15->81 30 msiexec.exe 6 15->30         started        61 127.0.0.1 unknown unknown 17->61 file6 signatures7 process8 file9 33 rundll32.exe 11 19->33         started        83 Creates files in the system32 config directory 25->83 85 Contains functionality to hide user accounts 25->85 55 C:\Users\user\AppData\Local\...\MSIDA0A.tmp, PE32 30->55 dropped signatures10 process11 file12 37 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 33->37 dropped 39 C:\...\ScreenConnect.InstallerActions.dll, PE32 33->39 dropped 41 C:\Users\user\...\ScreenConnect.Core.dll, PE32 33->41 dropped 43 4 other files (none is malicious) 33->43 dropped 63 Contains functionality to hide user accounts 33->63 signatures13

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  6IqUjK9Koj.exe26%ReversingLabsWin32.Trojan.Generic

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dll0%ReversingLabs
                                  C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.Cab.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Core.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.InstallerActions.dll0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Windows.dll0%ReversingLabs
                                  C:\Windows\Installer\MSIE815.tmp0%ReversingLabs
                                  C:\Windows\Installer\MSIEC0D.tmp0%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  No Antivirus matches

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  sc.connectprotocol.es
                                  		38.69.12.167
                                  		truefalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://g.live.com/odclientsettings/Prod/C:edb.log.10.dr, qmgr.db.10.drfalse
                                      		high
                                      http://crl.ver)svchost.exe, 0000000A.00000002.3817515728.000001BF1A800000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000000A.00000003.2172362185.000001BF1A5A0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drfalse
                                          		high
                                          http://wixtoolset.org/releases/rundll32.exe, 00000005.00000003.2092702422.0000000004943000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drfalse
                                            		high
                                            http://wixtoolset.org/news/rundll32.exe, 00000005.00000003.2092702422.0000000004943000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name6IqUjK9Koj.exe, 00000000.00000002.2087150563.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.3951793612.0000000001552000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 00000005.00000003.2092702422.0000000004943000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004AB1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2092498674.0000000004A42000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.Compression.Cab.dll.5.dr, Microsoft.Deployment.Compression.dll.5.drfalse
                                                  		high
                                                  https://feedback.screenconnect.com/Feedback.axdScreenConnect.Core.dll.3.drfalse
                                                    		high
                                                    https://docs.rs/getrandom#nodejs-es-module-supportScreenConnect.WindowsCredentialProvider.dll.3.drfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      38.69.12.167
                                                      		sc.connectprotocol.esUnited States
                                                      		5458354583USfalse

                                                      Private

                                                      IP
                                                      127.0.0.1

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1567467
                                                      Start date and time:2024-12-03 16:19:02 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 9m 40s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:14
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:6IqUjK9Koj.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:2ca3ef2cdad572bcbf31b55fa293db2214df08d2bf0b266f0725e362cc26d3c6.exe
                                                      Detection:MAL
                                                      Classification:mal46.evad.winEXE@18/59@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 60%
                                                      HCA Information:
                                                      • Successful, ratio: 70%
                                                      • Number of executed functions: 394
                                                      • Number of non-executed functions: 12
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target 6IqUjK9Koj.exe, PID 7324 because it is empty
                                                      • Execution Graph export aborted for target rundll32.exe, PID 7552 because it is empty
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                      • VT rate limit hit for: 6IqUjK9Koj.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      38.69.12.167f53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                  2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                    pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        sc.connectprotocol.esf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        54583USf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167
                                                                        lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                        • 38.69.12.167

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dllf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                            hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                    1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                      2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                        pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                          C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dllf53WqfzzNt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                            tiG6Ep202n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                              hB52OUUCE2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                lCwus2wfk6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                  pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                    VVs9SAqm5N.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                      1g6DULljd2.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                        2nmtr41l0S.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                          pbenHWj8JO.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Config.Msi\68e15e.rbs

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):219563
                                                                                                            Entropy (8bit):6.58380994770221
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:EW9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMGX:EWuH2aCGw1ST1wQLdqvX
                                                                                                            MD5:14205DE46CDD8835975AE5F8F9D9C661
                                                                                                            SHA1:EE0EB126EA0A7217DE747D6336D6562024A045F2
                                                                                                            SHA-256:11A17D3DB7E0040245136EF280C84561A7A8B5ABFA13893A60484D9F7F32B91F
                                                                                                            SHA-512:F4BA930964FFA65D9A5884D509B7D39FB29DB3C3C5C51351478E6872183B8A86F0C1232615D7FC837AF83D9862D2DF2217DB40E569B0BF5422CB4F73100BCF03
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Config.Msi\68e15e.rbs, Author: Joe Security
                                                                                                            Preview:...@IXOS.@.....@.R.Y.@.....@.....@.....@.....@.....@......&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}'.ScreenConnect Client (a532d472f1ff1d4e)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a532d472f1ff1d4e)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{CF9AE42D-A542-A5BE-DF54-2B1FF488B5E3}&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.@......&.{9509AE8A-E997-4132-8CAB-BAFE89DF77F6}&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.@......&.{8B377FBF-DB9A-CC34-86C5-7376F38045E2}&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.@......&.{323CD391-BE8F-8C69-EEBD-0C2E11594F31}&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.@......&.{992F76AD-4404-BDC8-9819-6B28811D5620}&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.@......&.{63515BD8-20DD-F293-D546-00656A7D96D3}&.{0522F16A-6873-5B41-45A0

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.Override.en-US.resources

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):444
                                                                                                            Entropy (8bit):4.5254339848602845
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:rHy2DLI4MWo9E5SL9cAIUPDLk6N7A7K3UMZRCl1jBlka:zHE4bSBxIU7TE7KtZRKBlka
                                                                                                            MD5:9B38D6900AA7DEA328BAEC4CA308737F
                                                                                                            SHA1:93960A7381926A250F5B2A800A2FB89E0A188BE7
                                                                                                            SHA-256:9D67E0E35D8DAD9B0AE368E607E134B755C3EB4BE2CE0A65578FEAE78116C794
                                                                                                            SHA-512:0DA66F8595ACEDF8465FFE9F825A5CA39E888F8C66AC17D83D091BB6D292352A3357BA09897CDF52439F61C1F2FDC0FB207E065C8D57928307DFB537D337321E
                                                                                                            Malicious:false
                                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP=c!.@To..2...n_\.......%........... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.....>H.i.d.d.e.n.A.p.p.B.a.l.l.o.o.n.T.e.x.t.T.i.t.l.e.F.o.r.m.a.t.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.......File......

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.en-US.resources

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):50133
                                                                                                            Entropy (8bit):4.759054454534641
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                            MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                            SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                            SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                            SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                            Malicious:false
                                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\Client.resources

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26722
                                                                                                            Entropy (8bit):7.7401940386372345
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                            MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                            SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                            SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                            SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                            Malicious:false
                                                                                                            Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Client.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):197120
                                                                                                            Entropy (8bit):6.586775768189165
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:/xLtNGTlIyS7/ObjusqVFJRJcyzvYqSmzDvJXYF:FtNGTGySabqPJYbqSmG
                                                                                                            MD5:3724F06F3422F4E42B41E23ACB39B152
                                                                                                            SHA1:1220987627782D3C3397D4ABF01AC3777999E01C
                                                                                                            SHA-256:EA0A545F40FF491D02172228C1A39AE68344C4340A6094486A47BE746952E64F
                                                                                                            SHA-512:509D9A32179A700AD76471B4CD094B8EB6D5D4AE7AD15B20FD76C482ED6D68F44693FC36BCB3999DA9346AE9E43375CD8FE02B61EDEABE4E78C4E2E44BF71D42
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: f53WqfzzNt.exe, Detection: malicious, Browse
                                                                                                            • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                            • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                            • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                            • Filename: 1g6DULljd2.exe, Detection: malicious, Browse
                                                                                                            • Filename: 2nmtr41l0S.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ... ....... .......................`......#.....@.................................A...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................u.......H...........4............_...... .........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):68096
                                                                                                            Entropy (8bit):6.06942231395039
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:+A0ZscQ5V6TsQqoSD6h6+39QFVIl1zJhb8gq:p0Zy3gUOQFVQzJq
                                                                                                            MD5:5DB908C12D6E768081BCED0E165E36F8
                                                                                                            SHA1:F2D3160F15CFD0989091249A61132A369E44DEA4
                                                                                                            SHA-256:FD5818DCDF5FC76316B8F7F96630EC66BB1CB5B5A8127CF300E5842F2C74FFCA
                                                                                                            SHA-512:8400486CADB7C07C08338D8876BC14083B6F7DE8A8237F4FE866F4659139ACC0B587EB89289D281106E5BAF70187B3B5E86502A2E340113258F03994D959328D
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: f53WqfzzNt.exe, Detection: malicious, Browse
                                                                                                            • Filename: tiG6Ep202n.exe, Detection: malicious, Browse
                                                                                                            • Filename: hB52OUUCE2.exe, Detection: malicious, Browse
                                                                                                            • Filename: lCwus2wfk6.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            • Filename: VVs9SAqm5N.exe, Detection: malicious, Browse
                                                                                                            • Filename: 1g6DULljd2.exe, Detection: malicious, Browse
                                                                                                            • Filename: 2nmtr41l0S.exe, Detection: malicious, Browse
                                                                                                            • Filename: pbenHWj8JO.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nu............" ..0.............. ... ...@....... ..............................p.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):95512
                                                                                                            Entropy (8bit):6.504684691533346
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:Eg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkggU0HMx790K:dhbNDxZGXfdHrX7rAc6myJkggU0HqB
                                                                                                            MD5:75B21D04C69128A7230A0998086B61AA
                                                                                                            SHA1:244BD68A722CFE41D1F515F5E40C3742BE2B3D1D
                                                                                                            SHA-256:F1B5C000794F046259121C63ED37F9EFF0CFE1258588ECA6FD85E16D3922767E
                                                                                                            SHA-512:8D51B2CD5F21C211EB8FEA4B69DC9F91DFFA7BB004D9780C701DE35EAC616E02CA30EF3882D73412F7EAB1211C5AA908338F3FA10FDF05B110F62B8ECD9D24C2
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................>)....@.................................p...x....`..P............L...)...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Core.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):548864
                                                                                                            Entropy (8bit):6.034211651049746
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                            MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                            SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                            SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                            SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.Windows.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1721856
                                                                                                            Entropy (8bit):6.639085961200334
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                            MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                            SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                            SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                            SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsAuthenticationPackage.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):260168
                                                                                                            Entropy (8bit):6.416438906122177
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:qJvChyA4m2zNGvxDd6Q6dtaVNVrlaHpFahvJ9ERnWtMG8Ff2lt9Bgcld5aaYxg:0IvxDdL6d8VNdlC3g0RCXh5D
                                                                                                            MD5:5ADCB5AE1A1690BE69FD22BDF3C2DB60
                                                                                                            SHA1:09A802B06A4387B0F13BF2CDA84F53CA5BDC3785
                                                                                                            SHA-256:A5B8F0070201E4F26260AF6A25941EA38BD7042AEFD48CD68B9ACF951FA99EE5
                                                                                                            SHA-512:812BE742F26D0C42FDDE20AB4A02F1B47389F8D1ACAA6A5BB3409BA27C64BE444AC06D4129981B48FA02D4C06B526CB5006219541B0786F8F37CF2A183A18A73
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A........................T....................V.......V.......V......................=U......=U......=U$.....=U......Rich....................PE..d.....Qf.........." ...'.^...^.......................................................(....`..........................................e.......f..P................ ......HP..........P%..p............................$..@............p...............................text...t].......^.................. ..`.rdata.......p.......b..............@..@.data....+...........d..............@....pdata... ......."...x..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):61208
                                                                                                            Entropy (8bit):6.310126082367387
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:kW/+lo6MOc8IoiKWjrNv8DtyQ4RE+TC6WAhVbb57bP8:kLlo6dccldyQGWy5s
                                                                                                            MD5:AFA97CAF20F3608799E670E9D6253247
                                                                                                            SHA1:7E410FDE0CA1350AA68EF478E48274888688F8EE
                                                                                                            SHA-256:E25F32BA3FA32FD0DDD99EB65B26835E30829B5E4B58573690AA717E093A5D8F
                                                                                                            SHA-512:FE0B378651783EF4ADD3851E12291C82EDCCDE1DBD1FA0B76D7A2C2DCD181E013B9361BBDAE4DAE946C0D45FB4BF6F75DC027F217326893C906E47041E3039B0
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c+..........."...0.................. ........@.. ....................... .......r....@.....................................O....... ................)..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):4.842791478883622
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):602392
                                                                                                            Entropy (8bit):6.176232491934078
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:fybAk1FVMVTZL/4TvqpU0pSdRW3akod1sI5mgve8mZXuRFtSc4q2/R4IEyxuV5AN:qbAOwJ/MvIFptJoR5NmtiFsxsFE
                                                                                                            MD5:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                            SHA1:0203B65E92D2D1200DD695FE4C334955BEFBDDD3
                                                                                                            SHA-256:600CF10E27311E60D32722654EF184C031A77B5AE1F8ABAE8891732710AFEE31
                                                                                                            SHA-512:A902080FF8EE0D9AEFFA0B86E7980457A4E3705789529C82679766580DF0DC17535D858FBE50731E00549932F6D49011868DEE4181C6716C36379AD194B0ED69
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`............@.................................M...O.... ...................)...@..........8............................................ ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......XJ......................$.........................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):4.842791478883622
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                            Malicious:true
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsCredentialProvider.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):842248
                                                                                                            Entropy (8bit):6.268561504485627
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:q9vy8YABMuiAoPyEIrJs7jBjaau+EAaMVtw:P8Y4MuiAoPyZrJ8jrvDVtw
                                                                                                            MD5:BE74AB7A848A2450A06DE33D3026F59E
                                                                                                            SHA1:21568DCB44DF019F9FAF049D6676A829323C601E
                                                                                                            SHA-256:7A80E8F654B9DDB15DDA59AC404D83DBAF4F6EAFAFA7ECBEFC55506279DE553D
                                                                                                            SHA-512:2643D649A642220CEEE121038FE24EA0B86305ED8232A7E5440DFFC78270E2BDA578A619A76C5BB5A5A6FE3D9093E29817C5DF6C5DD7A8FBC2832F87AA21F0CC
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....}H..}H..}H.d~I..}H.dxIG.}H.dyI..}H..xI..}H..yI..}H..~I..}H..|H8.}H..}H..}H2.}I..}H2..I..}HRich..}H........PE..d.....Gf.........." ...'.P...........H....................................... ......q.....`......................................... ...t....................P...y.......(......,4.....T.......................(.......@............`...............................text....O.......P.................. ..`.rdata...z...`...|...T..............@..@.data....d.......0..................@....pdata...y...P...z..................@..@_RDATA...............z..............@..@.reloc..,4.......6...|..............@..B................................................................................................................................................................................................................................................................

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):81688
                                                                                                            Entropy (8bit):5.8618809599146005
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:Ety9l44Kzb1I5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7j27Vy:PvqukLdn2s
                                                                                                            MD5:1AEE526DC110E24D1399AFFCCD452AB3
                                                                                                            SHA1:04DB0E8772933BC57364615D0D104DC2550BD064
                                                                                                            SHA-256:EBD04A4540D6E76776BD58DEEA627345D0F8FBA2C04CC65BE5E979A8A67A62A1
                                                                                                            SHA-512:482A8EE35D53BE907BE39DBD6C46D1F45656046BACA95630D1F07AC90A66F0E61D41F940FB166677AC4D5A48CF66C28E76D89912AED3D673A80737732E863851
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........."...0..@...........^... ...`....@.. .......................`.......$....@..................................^..O....`...................)...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileManager.exe.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):266
                                                                                                            Entropy (8bit):4.842791478883622
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                            MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                            SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                            SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                            SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                            C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\system.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with very long lines (463), with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):953
                                                                                                            Entropy (8bit):5.76285111936072
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2dL9hK6E4dl/kGuanOt+qPySnLb5pUgzWvH:chh7HHiqo1nLHHWv
                                                                                                            MD5:D4A9F5EA2DA4BBD0CB33743E9BC848CE
                                                                                                            SHA1:BBEA3254495249FA96D667391BA4E90F92CBACD5
                                                                                                            SHA-256:644282531083B8CDE902CDBDB71BDC55C3AAE9225072465B66640C16A5923F27
                                                                                                            SHA-512:00186C860DAF6690F5A5D0E2B90DC76A049759562C52407BC51662F775FDE6DFFEFD036ACC4C8ADC9955E0D8F39897E6E11BDDBCF0003FE279B6D9DE31C63EC6
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ClientLaunchParametersConstraint" serializeAs="String">.. <value>?h=sc.connectprotocol.es&amp;p=8041&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8192
                                                                                                            Entropy (8bit):0.3588072191296206
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                                                            MD5:663C5D6018506231E334FB3EA962ED1C
                                                                                                            SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                                                            SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                                                            SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                                                            Malicious:false
                                                                                                            Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1310720
                                                                                                            Entropy (8bit):0.8337007459016968
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDuga:gJjJGtpTq2yv1AuNZRY3diu8iBVqFs
                                                                                                            MD5:8246BB4700A6E60A700D98918DD397F4
                                                                                                            SHA1:93EE2171E8A001F8971F54F982395A54602DB2A1
                                                                                                            SHA-256:E7846DE33D180D9468D88DBD688779853ACB3B1D8AB1E69CCAC502AF146B5D29
                                                                                                            SHA-512:DE9AA8D12072400CFE599C20C4A568519FC1B901C6393AE7E7D1235E742496F8A813DD639627CDDCE2B9F35F5B37B686995EF75847D930BFBADA19C0F504580E
                                                                                                            Malicious:false
                                                                                                            Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcee8a686, page size 16384, Windows version 10.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1310720
                                                                                                            Entropy (8bit):0.6584846689423396
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:ZSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Zaza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                                                            MD5:9FEA4513F7122CE85195A0EC7DDC99A0
                                                                                                            SHA1:2E52991615543FB571737D7AFE38D8E7BF4FD0AB
                                                                                                            SHA-256:FDF72561233C908C99EF1BC48EE3703C6D83619D4BDC83E38E6ECC9F1912424E
                                                                                                            SHA-512:8A1C9E1543E5E35950EB74F9453F023E2796FAA4DB1A1E8CDF7AA664A6583BC7117329E223FB425F01EAB7033A08DE9634A7D581D29396CEA011C2CACF5B1D41
                                                                                                            Malicious:false
                                                                                                            Preview:..... ...............X\...;...{......................T.~..........|I......|s.h.|..........|I.T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................q.0.....|I...................w......|I..........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):16384
                                                                                                            Entropy (8bit):0.07947827058920427
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:ydzRBkl/weuzqmIA6l/bxSl/Az8KgR+t:ydc/I+/U/28hR+
                                                                                                            MD5:0D6A6D576974FC66B4472441AEC60D9F
                                                                                                            SHA1:54729588B0D728320F18A66EB4346D146DAC4F47
                                                                                                            SHA-256:CBB391C5451D53922A3540116C2DCF3EFFADBE8619D91B4E06222A9468BFC862
                                                                                                            SHA-512:AA17F26E23FDB7FBCE4639FD21B2D31146BC9A666FF1B5276C62730AC9E59CF31E431ECCB8E0D9776957EDE6D20EA7E49BDF581BD49CA15ABCD5B5D316D0391B
                                                                                                            Malicious:false
                                                                                                            Preview:.ao......................................;...{.......|s......|I..............|I......|I...D......|I...................w......|I.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6IqUjK9Koj.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\6IqUjK9Koj.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):321
                                                                                                            Entropy (8bit):5.36509199858051
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTrM3RJoDLIP12MUAvvR+uCv:Q3La/KDLI4MWuPTArkvoDLI4MWuCv
                                                                                                            MD5:1CF2352B684EF57925D98E766BA897F2
                                                                                                            SHA1:6E8CB2C1143E9D9D1211BAA811FE4CAA49C08B55
                                                                                                            SHA-256:43C3FB3C0B72A899C5442DAC8748D019D800E0A9421D3677EB96E196ED285290
                                                                                                            SHA-512:9F2D6F89453C867386A65A04FF96067FC3B23A99A4BCE0ECD227E130F409069FE6DD202D4839CBF204C3F204EC058D6CDFDADA7DD212BC2356D74FEC97F22061
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):746
                                                                                                            Entropy (8bit):5.349174276064173
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yirkvoDLb:ML9E4KlKDE4KhKiKhPKIE4oKNzKogE4P
                                                                                                            MD5:ED994980CB1AABB953B2C8ECDC745E1F
                                                                                                            SHA1:9E9D3E00A69FC862F4D3C30F42BF26693A2D2A21
                                                                                                            SHA-256:D23B54CCF9F6327FE1158762D4E5846649699A7B78418D056A197835ED1EBE79
                                                                                                            SHA-512:61DFC93154BCD734B9836A6DECF93674499FF533E2B9A1188886E2CBD04DF35538368485AA7E775B641ADC120BAE1AC2551B28647951C592AA77F6747F0E9187
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1088392
                                                                                                            Entropy (8bit):7.789940577622617
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:QUUGGHn+rUGemcPe9MpKL4Plb2sZWV+tLv0QYu5OPthT+gd:jGHpRPqMpvlqs0O4iO2k
                                                                                                            MD5:8A8767F589EA2F2C7496B63D8CCC2552
                                                                                                            SHA1:CC5DE8DD18E7117D8F2520A51EDB1D165CAE64B0
                                                                                                            SHA-256:0918D8AB2237368A5CEC8CE99261FB07A1A1BEEDA20464C0F91AF0FE3349636B
                                                                                                            SHA-512:518231213CA955ACDF37B4501FDE9C5B15806D4FC166950EB8706E8D3943947CF85324FAEE806D7DF828485597ECEFFCFA05CA1A5D8AB1BD51ED12DF963A1FE4
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.c.2.0.2.0.2.0..|0.2.0..H0.2.0.Jq0.2.0.2.0.2.0..I0.2.0..y0.2.0..x0.2.0...0.2.0Rich.2.0................PE..L...9..P...........!.........H.......i.......................................p............@..............................*..l...x....@.......................P..d.......................................@...............h............................text............................... ..`.rdata..............................@..@.data....-..........................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\CustomAction.config

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):234
                                                                                                            Entropy (8bit):4.977464602412109
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:JiMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQpuAW4QIT:MMHd413VymhsS+Qg93xT
                                                                                                            MD5:6F52EBEA639FD7CEFCA18D9E5272463E
                                                                                                            SHA1:B5E8387C2EB20DD37DF8F4A3B9B0E875FA5415E3
                                                                                                            SHA-256:7027B69AB6EBC9F3F7D2F6C800793FDE2A057B76010D8CFD831CF440371B2B23
                                                                                                            SHA-512:B5960066430ED40383D39365EADB3688CADADFECA382404924024C908E32C670AFABD37AB41FF9E6AC97491A5EB8B55367D7199002BF8569CF545434AB2F271A
                                                                                                            Malicious:false
                                                                                                            Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>..</configuration>

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.Cab.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):49152
                                                                                                            Entropy (8bit):4.62694170304723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:sqbC2wmdVdX9Y6BCH+C/FEQl2ifnxwr02Gy/G4Xux+bgHGvLw4:sAtXPC/Cifnxs02Gyu4Xu0MeR
                                                                                                            MD5:77BE59B3DDEF06F08CAA53F0911608A5
                                                                                                            SHA1:A3B20667C714E88CC11E845975CD6A3D6410E700
                                                                                                            SHA-256:9D32032109FFC217B7DC49390BD01A067A49883843459356EBFB4D29BA696BF8
                                                                                                            SHA-512:C718C1AFA95146B89FC5674574F41D994537AF21A388335A38606AEC24D6A222CBCE3E6D971DFE04D86398E607815DF63A54DA2BB96CCF80B4F52072347E1CE6
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ...............................$....@....................................O.................................................................................... ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.Compression.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):36864
                                                                                                            Entropy (8bit):4.340550904466943
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:GqJxldkxhW9N5u8IALLU0X9Z1kTOPJlqE:GqJxl6xsPIA9COxlqE
                                                                                                            MD5:4717BCC62EB45D12FFBED3A35BA20E25
                                                                                                            SHA1:DA6324A2965C93B70FC9783A44F869A934A9CAF7
                                                                                                            SHA-256:E04DE7988A2A39931831977FA22D2A4C39CF3F70211B77B618CAE9243170F1A7
                                                                                                            SHA-512:BB0ABC59104435171E27830E094EAE6781D2826ED2FC9009C8779D2CA9399E38EDB1EC6A10C1676A5AF0F7CACFB3F39AC2B45E61BE2C6A8FE0EDB1AF63A739CA
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0..`... .......~... ........... ....................................@.................................X~..O................................... }............................................... ............... ..H............text....^... ...`.................. ..`.rsrc................p..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):57344
                                                                                                            Entropy (8bit):4.657268358041957
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:BLNru62y+VqB4N5SBcDhDxW7ZkCmX2Qv1Sf0AQdleSBRxf+xUI3:BJ2yUGmh2O11AsleyRxf+xt
                                                                                                            MD5:A921A2B83B98F02D003D9139FA6BA3D8
                                                                                                            SHA1:33D67E11AD96F148FD1BFD4497B4A764D6365867
                                                                                                            SHA-256:548C551F6EBC5D829158A1E9AD1948D301D7C921906C3D8D6B6D69925FC624A1
                                                                                                            SHA-512:E1D7556DAF571C009FE52D6FFE3D6B79923DAEEA39D754DDF6BEAFA85D7A61F3DB42DFC24D4667E35C4593F4ED6266F4099B393EFA426FA29A72108A0EAEDD3E
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ........... ........... ....................... .......t....@.....................................O...................................`................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):176128
                                                                                                            Entropy (8bit):5.775360792482692
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:FkfZS7FUguxN+77b1W5GR69UgoCaf8TpCnfKlRUjW01Ky4:x+c7b1W4R6joxfQE
                                                                                                            MD5:5EF88919012E4A3D8A1E2955DC8C8D81
                                                                                                            SHA1:C0CFB830B8F1D990E3836E0BCC786E7972C9ED62
                                                                                                            SHA-256:3E54286E348EBD3D70EAED8174CCA500455C3E098CDD1FCCB167BC43D93DB29D
                                                                                                            SHA-512:4544565B7D69761F9B4532CC85E7C654E591B2264EB8DA28E60A058151030B53A99D1B2833F11BFC8ACC837EECC44A7D0DBD8BC7AF97FC0E0F4938C43F9C2684
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.Y.........." ..0...... ......~.... ........... ..............................!|....@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Core.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):548864
                                                                                                            Entropy (8bit):6.034211651049746
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:xC2YKhQCNc6kVTplfWL/YTHUYCBdySISYz:HhE6O7WL/EC
                                                                                                            MD5:14E7489FFEBBB5A2EA500F796D881AD9
                                                                                                            SHA1:0323EE0E1FAA4AA0E33FB6C6147290AA71637EBD
                                                                                                            SHA-256:A2E9752DE49D18E885CBD61B29905983D44B4BC0379A244BFABDAA3188C01F0A
                                                                                                            SHA-512:2110113240B7D803D8271139E0A2439DBC86AE8719ECD8B132BBDA2520F22DC3F169598C8E966AC9C0A40E617219CB8FE8AAC674904F6A1AE92D4AC1E20627CD
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............." ..0..X...........s... ........... ..............................].....@.................................as..O.......t............................r..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc...t............Z..............@..@.reloc...............^..............@..B.................s......H........C..,/..................Dr........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.InstallerActions.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):11776
                                                                                                            Entropy (8bit):5.273875899788767
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:V8/Qp6lCJuV3jHXtyVNamVNG1YZfCrMmbfHJ7kjvLjbuLd9NEFbM64:y/cBJaLXt2NaheUrMmb/FkjvLjbuZj64
                                                                                                            MD5:73A24164D8408254B77F3A2C57A22AB4
                                                                                                            SHA1:EA0215721F66A93D67019D11C4E588A547CC2AD6
                                                                                                            SHA-256:D727A640723D192AA3ECE213A173381682041CB28D8BD71781524DBAE3DDBF62
                                                                                                            SHA-512:650D4320D9246AAECD596AC8B540BF7612EC7A8F60ECAA6E9C27B547B751386222AB926D0C915698D0BB20556475DA507895981C072852804F0B42FDDA02B844
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........E... ...`....... ..............................D9....@..................................D..O....`..............................$D..8............................................ ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................E......H........'.......................C........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s.......}.....s....}.....{....r...p(......,h.{....r...p......%...(.....rS..p.(....~....%-.&~..........s....%......(...+%-.&+.(...........s....(...+&.{....o....-!.{.....{.....{....rc..po....(.....{....o.........{.....{.....{....r}..po....(.....{....o....-..{....r...p......(.....*.{....s .....-..o!.......{....r}..p.o

                                                                                                            C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp-\ScreenConnect.Windows.dll

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1721856
                                                                                                            Entropy (8bit):6.639085961200334
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dx5xeYkYFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:dx5xTkYJkGYYpT0+TFiH7efP
                                                                                                            MD5:9AD3964BA3AD24C42C567E47F88C82B2
                                                                                                            SHA1:6B4B581FC4E3ECB91B24EC601DAA0594106BCC5D
                                                                                                            SHA-256:84A09ED81AFC5FF9A17F81763C044C82A2D9E26F852DE528112153EE9AB041D0
                                                                                                            SHA-512:CE557A89C0FE6DE59046116C1E262A36BBC3D561A91E44DCDA022BEF72CB75742C8B01BEDCC5B9B999E07D8DE1F94C665DD85D277E981B27B6BFEBEAF9E58097
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y............." ..0..>..........~]... ...`....... ..............................8.....@.................................+]..O....`..|............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................_]......H.......t...d..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                            C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\6IqUjK9Koj.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {0522F16A-6873-5B41-45A0-A61F7CB3B407}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):9961472
                                                                                                            Entropy (8bit):7.957250042806157
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:98304:GwJ4t1h0cG5FGJRPxow8OhwJ4t1h0cG5FwJ4t1h0cG5iwJ4t1h0cG5jwJ4t1h0cW:TWh0cGwAWh0cGAWh0cGpWh0cGGWh0cG
                                                                                                            MD5:9B4A27E93C779F132395052EA938FD8D
                                                                                                            SHA1:3A7BECD68C47B7D7390919BECE8B05DF731D43FC
                                                                                                            SHA-256:79CB85681AC8F488FA4DBBC8A6DB9CF67AD4315C81F1EE86BB9808205EE51285
                                                                                                            SHA-512:70FE1809228129D459DB81315D157DCB15D3E2C877A89864F38F4F46D229765B67CBD34F887B543789FB34A8188CC0B846195865426CE048FE82BAFDEB12BB99
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...........................................................}...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\68e15d.msi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {0522F16A-6873-5B41-45A0-A61F7CB3B407}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):9961472
                                                                                                            Entropy (8bit):7.957250042806157
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:98304:GwJ4t1h0cG5FGJRPxow8OhwJ4t1h0cG5FwJ4t1h0cG5iwJ4t1h0cG5jwJ4t1h0cW:TWh0cGwAWh0cGAWh0cGpWh0cGGWh0cG
                                                                                                            MD5:9B4A27E93C779F132395052EA938FD8D
                                                                                                            SHA1:3A7BECD68C47B7D7390919BECE8B05DF731D43FC
                                                                                                            SHA-256:79CB85681AC8F488FA4DBBC8A6DB9CF67AD4315C81F1EE86BB9808205EE51285
                                                                                                            SHA-512:70FE1809228129D459DB81315D157DCB15D3E2C877A89864F38F4F46D229765B67CBD34F887B543789FB34A8188CC0B846195865426CE048FE82BAFDEB12BB99
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...........................................................}...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\68e15f.msi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {0522F16A-6873-5B41-45A0-A61F7CB3B407}, Create Time/Date: Mon Oct 28 17:43:52 2024, Last Saved Time/Date: Mon Oct 28 17:43:52 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):9961472
                                                                                                            Entropy (8bit):7.957250042806157
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:98304:GwJ4t1h0cG5FGJRPxow8OhwJ4t1h0cG5FwJ4t1h0cG5iwJ4t1h0cG5jwJ4t1h0cW:TWh0cGwAWh0cGAWh0cGpWh0cGGWh0cG
                                                                                                            MD5:9B4A27E93C779F132395052EA938FD8D
                                                                                                            SHA1:3A7BECD68C47B7D7390919BECE8B05DF731D43FC
                                                                                                            SHA-256:79CB85681AC8F488FA4DBBC8A6DB9CF67AD4315C81F1EE86BB9808205EE51285
                                                                                                            SHA-512:70FE1809228129D459DB81315D157DCB15D3E2C877A89864F38F4F46D229765B67CBD34F887B543789FB34A8188CC0B846195865426CE048FE82BAFDEB12BB99
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...........................................................}...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSIE7F5.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):423665
                                                                                                            Entropy (8bit):6.5777682934194415
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6144:xuH2aCGw1ST1wQLdqv5uH2aCGw1ST1wQLdqvc:xuH2anwohwQUv5uH2anwohwQUvc
                                                                                                            MD5:994972DBF01967D71C16974FF5C34F9A
                                                                                                            SHA1:0FE6147D66B91F8A1E60E04EC8E403C10A96552A
                                                                                                            SHA-256:434B1EC8ACA8CF03682C30C192719240D045D372305825F001153AD76EFD5042
                                                                                                            SHA-512:40145E4E41CF9FBF9D30FE96405C9F50CE11657DD64E9554C31F1841847D15C0B0892A13CFC65F1925C440D13F3775C5B5FC8270E9B32267B5674C40890C90AD
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\MSIE7F5.tmp, Author: Joe Security
                                                                                                            Preview:...@IXOS.@.....@.R.Y.@.....@.....@.....@.....@.....@......&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}'.ScreenConnect Client (a532d472f1ff1d4e)..ScreenConnect.ClientSetup.msi.@.....@.....@.....@......DefaultIcon..&.{0522F16A-6873-5B41-45A0-A61F7CB3B407}.....@.....@.....@.....@.......@.....@.....@.......@....'.ScreenConnect Client (a532d472f1ff1d4e)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{CF9AE42D-A542-A5BE-DF54-2B1FF488B5E3}^.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.dll.@.......@.....@.....@......&.{9509AE8A-E997-4132-8CAB-BAFE89DF77F6}f.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsBackstageShell.exe.@.......@.....@.....@......&.{8B377FBF-DB9A-CC34-86C5-7376F38045E2}c.C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsFileMa

                                                                                                            C:\Windows\Installer\MSIE815.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):207360
                                                                                                            Entropy (8bit):6.573348437503042
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                            MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                            SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                            SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                            SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\MSIEC0D.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):207360
                                                                                                            Entropy (8bit):6.573348437503042
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3072:X9LUHM7ptZ8UKOGw5vMWSuRy1YaDJkflQn3H+QDO/6Q+cxbr0qMG:XuH2aCGw1ST1wQLdqv
                                                                                                            MD5:BA84DD4E0C1408828CCC1DE09F585EDA
                                                                                                            SHA1:E8E10065D479F8F591B9885EA8487BC673301298
                                                                                                            SHA-256:3CFF4AC91288A0FF0C13278E73B282A64E83D089C5A61A45D483194AB336B852
                                                                                                            SHA-512:7A38418F6EE8DBC66FAB2CD5AD8E033E761912EFC465DAA484858D451DA4B8576079FE90FD3B6640410EDC8B3CAC31C57719898134F246F4000D60A252D88290
                                                                                                            Malicious:false
                                                                                                            Antivirus:
                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........AF../.../.../.'D..../.'D..../.'D..../...,.../...+.../...*.../......./......./.....n./.*.*.../.*./.../.*...../....../.*.-.../.Rich../.........................PE..L...pG.Y...........!.........L......&.....................................................@.................................P........P..x....................`......P...T...............................@...............<............................text...+........................... ..`.rdata..*...........................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\SourceHash{0522F16A-6873-5B41-45A0-A61F7CB3B407}

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.170788221904358
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:JSbX72Fjh+AGiLIlHVRpIh/7777777777777777777777777vDHFCTMOpL7rl0i5:J2QI5wATMOpuF
                                                                                                            MD5:4C4DFE76460D4C1BC6A725AA60BA217F
                                                                                                            SHA1:34C27E85D58719763840FFDEF53C8543277C023A
                                                                                                            SHA-256:A338365AA9FA12078BAD0DA68905E005307E889084B5B4691A901E707B8AFEC7
                                                                                                            SHA-512:39D247CFF19FF6BD3DE49E10AB0AE9C10D8FC1CF32476E32805D4090A62CC7E1E474133FAF437CD81EBEFCE98E4CEDD1E445E1A34682DA02E574A58E59DEC7EF
                                                                                                            Malicious:false
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.8103538834336577
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:A/98Ph6uRc06WXzIFT54IYIxnqcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rWAj:A/gh61tFTHqp4frd/4G3f9FDp3
                                                                                                            MD5:C2E8F0182752EA482443C06B639903BB
                                                                                                            SHA1:8B6E95B229D7FCFF0547ED016F427D2A7CF9E545
                                                                                                            SHA-256:19B928472A284E44E4032432F1C8273AA12D04D34FB4E429BC2004A90FD1D7F5
                                                                                                            SHA-512:A48E721936B32A408B167DB321510F535ECB82719EFEB7A9740D8A92378887A9282D029EB33C5BDF59971C091EEE3F82A0F4D87AC380398395BE6F7A4CB77DEF
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Installer\{0522F16A-6873-5B41-45A0-A61F7CB3B407}\DefaultIcon

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:MS Windows icon resource - 3 icons, 16x16 with PNG image data, 16 x 16, 8-bit colormap, non-interlaced, 4 bits/pixel, 32x32 with PNG image data, 32 x 32, 1-bit colormap, non-interlaced, 4 bits/pixel
                                                                                                            Category:dropped
                                                                                                            Size (bytes):435
                                                                                                            Entropy (8bit):5.289734780210945
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Kvv/7tghWPjScQZ/Ev/739Jgh5TZYR/v/71XfghNeZ:QOZZq9JOz0dONeZ
                                                                                                            MD5:F34D51C3C14D1B4840AE9FF6B70B5D2F
                                                                                                            SHA1:C761D3EF26929F173CEB2F8E01C6748EE2249A8A
                                                                                                            SHA-256:0DD459D166F037BB8E531EB2ECEB2B79DE8DBBD7597B05A03C40B9E23E51357A
                                                                                                            SHA-512:D6EEB5345A5A049A87BFBFBBBEBFBD9FBAEC7014DA41DB1C706E8B16DDEC31561679AAE9E8A0847098807412BD1306B9616C8E6FCFED8683B4F33BD05ADE38D1
                                                                                                            Malicious:false
                                                                                                            Preview:..............z...6... ..............00..........0....PNG........IHDR.............(-.S....PLTE....22.u......tRNS.@..f..."IDATx.c` .0"...$.(......SC..Q8....9b.i.Xa.....IEND.B`..PNG........IHDR... ... .....I......PLTE....22.u......tRNS.@..f...(IDATx.c`...... ... D.......vb.....A`..(.-s...q....IEND.B`..PNG........IHDR...0...0.....m.k.....PLTE....22.u......tRNS.@..f...+IDATx.c` .......Q...S.@..DQu...4...(.}DQD...3x........IEND.B`.

                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):364484
                                                                                                            Entropy (8bit):5.365477989848415
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauz:zTtbmkExhMJCIpEo
                                                                                                            MD5:AD4074BA2C005E94B06CEF3983EE3250
                                                                                                            SHA1:D96A3DE9738CFCAEDCF079F30C87019927D9B639
                                                                                                            SHA-256:469E762650EC96B54607AE1345DA14AD41FF2E2B1A70BACC8E04387019AD60C7
                                                                                                            SHA-512:3E96148D311A2F4B0C91116A2DBE69026A15AC27BE9A3EE50845296DD0DE839022A3E49610FC90F940AE8ED1480EC4433BD90E7D5344DFCAB4E6DDF637B5E988
                                                                                                            Malicious:false
                                                                                                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:JSON data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):55
                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                            Malicious:false
                                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\fktunrnm.newcfg

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):565
                                                                                                            Entropy (8bit):5.0119257966716475
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOmMx0dhEitfm/vXbAa3xT:2dL9hK6E46YPEJf8vH
                                                                                                            MD5:C6382F66071F0B51133510FAD4DC91B4
                                                                                                            SHA1:C4CAF189C4D61654955CB9CFED7CCE60280FD528
                                                                                                            SHA-256:8574D9DF4378B517F95F26C9CEB6F6D2724A4B0CE6BDCFC4831918535ABC4AEA
                                                                                                            SHA-512:13FD62FEEAE8ADBB94BF59D43F65BB43B934D63FE1C59CCD8108EB88D41EA81745B0EC84C2E9175259E1F80FFAA836E0BF89B3B70EFA141DAF376CE19424ED61
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>sc.connectprotocol.es=38.69.12.167-03%2f12%2f2024%2015%3a20%3a03</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (a532d472f1ff1d4e)\user.config (copy)

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):565
                                                                                                            Entropy (8bit):5.0119257966716475
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOmMx0dhEitfm/vXbAa3xT:2dL9hK6E46YPEJf8vH
                                                                                                            MD5:C6382F66071F0B51133510FAD4DC91B4
                                                                                                            SHA1:C4CAF189C4D61654955CB9CFED7CCE60280FD528
                                                                                                            SHA-256:8574D9DF4378B517F95F26C9CEB6F6D2724A4B0CE6BDCFC4831918535ABC4AEA
                                                                                                            SHA-512:13FD62FEEAE8ADBB94BF59D43F65BB43B934D63FE1C59CCD8108EB88D41EA81745B0EC84C2E9175259E1F80FFAA836E0BF89B3B70EFA141DAF376CE19424ED61
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>sc.connectprotocol.es=38.69.12.167-03%2f12%2f2024%2015%3a20%3a03</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1590
                                                                                                            Entropy (8bit):5.363907225770245
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                                            MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                                            SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                                            SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                                            SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

                                                                                                            C:\Windows\Temp\~DF1A9D54364A7DB45B.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.4278167306387686
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:ZpSuUth8FXzNT5aUgIYIxnqcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rWAduHg:bS2zToYqp4frd/4G3f9FDp3
                                                                                                            MD5:D1A7721937C7FEB7871878EBE80B821D
                                                                                                            SHA1:8B71E65CFA854F42BECC6773AFB4A0F4F246D3CF
                                                                                                            SHA-256:DFF6B582B248E75144BC81DADA98376E7254172170E367119BB092DC5AF17778
                                                                                                            SHA-512:DC25DC53BA248D546B530DEA402549126EE79EAD034DBC6577DF46F38D95631955EDE163907F5043FEAFF95FDDE2374744ED2899C1F23C0932A5094DB4D06919
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF1A9D54364A7DB45B.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF1B8844A18D1DCC68.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF1D89DB85DA994D3C.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.4278167306387686
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:ZpSuUth8FXzNT5aUgIYIxnqcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rWAduHg:bS2zToYqp4frd/4G3f9FDp3
                                                                                                            MD5:D1A7721937C7FEB7871878EBE80B821D
                                                                                                            SHA1:8B71E65CFA854F42BECC6773AFB4A0F4F246D3CF
                                                                                                            SHA-256:DFF6B582B248E75144BC81DADA98376E7254172170E367119BB092DC5AF17778
                                                                                                            SHA-512:DC25DC53BA248D546B530DEA402549126EE79EAD034DBC6577DF46F38D95631955EDE163907F5043FEAFF95FDDE2374744ED2899C1F23C0932A5094DB4D06919
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF1D89DB85DA994D3C.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF830A435A15E4EDE9.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):1.4278167306387686
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:ZpSuUth8FXzNT5aUgIYIxnqcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rWAduHg:bS2zToYqp4frd/4G3f9FDp3
                                                                                                            MD5:D1A7721937C7FEB7871878EBE80B821D
                                                                                                            SHA1:8B71E65CFA854F42BECC6773AFB4A0F4F246D3CF
                                                                                                            SHA-256:DFF6B582B248E75144BC81DADA98376E7254172170E367119BB092DC5AF17778
                                                                                                            SHA-512:DC25DC53BA248D546B530DEA402549126EE79EAD034DBC6577DF46F38D95631955EDE163907F5043FEAFF95FDDE2374744ED2899C1F23C0932A5094DB4D06919
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF830A435A15E4EDE9.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DF8520E176E00F1D33.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.8103538834336577
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:A/98Ph6uRc06WXzIFT54IYIxnqcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rWAj:A/gh61tFTHqp4frd/4G3f9FDp3
                                                                                                            MD5:C2E8F0182752EA482443C06B639903BB
                                                                                                            SHA1:8B6E95B229D7FCFF0547ED016F427D2A7CF9E545
                                                                                                            SHA-256:19B928472A284E44E4032432F1C8273AA12D04D34FB4E429BC2004A90FD1D7F5
                                                                                                            SHA-512:A48E721936B32A408B167DB321510F535ECB82719EFEB7A9740D8A92378887A9282D029EB33C5BDF59971C091EEE3F82A0F4D87AC380398395BE6F7A4CB77DEF
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DF8520E176E00F1D33.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFA7F10B559F8603C4.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):69632
                                                                                                            Entropy (8bit):0.23814356028285344
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:zibvXDBAduHvlS3qcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rPAIYI:zwxp4frd/4G3f9FDG
                                                                                                            MD5:33A581A22A80973EA86237650A686151
                                                                                                            SHA1:294AE8AEA5E49C4F5AF8129FD8A2B73245D3F3DE
                                                                                                            SHA-256:182E009F4D95D728CC6E0EF8CD993230BE8322FD4EC72F24EEBAE1D7DA62DBCE
                                                                                                            SHA-512:171769EA5A896B0914EAE4143059E05922F1841E63291039948A56D788B18EB78AAA980979A665F66275E1FAC25EDB175A2CF4C799BA5E1811F0B69A18D505C8
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFA7F10B559F8603C4.TMP, Author: Joe Security
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFAEC3A69C455F11CF.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                            Category:dropped
                                                                                                            Size (bytes):20480
                                                                                                            Entropy (8bit):1.8103538834336577
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:A/98Ph6uRc06WXzIFT54IYIxnqcq56AduHvlSird/2cPWGn3f9aud+GZPbg7rWAj:A/gh61tFTHqp4frd/4G3f9FDp3
                                                                                                            MD5:C2E8F0182752EA482443C06B639903BB
                                                                                                            SHA1:8B6E95B229D7FCFF0547ED016F427D2A7CF9E545
                                                                                                            SHA-256:19B928472A284E44E4032432F1C8273AA12D04D34FB4E429BC2004A90FD1D7F5
                                                                                                            SHA-512:A48E721936B32A408B167DB321510F535ECB82719EFEB7A9740D8A92378887A9282D029EB33C5BDF59971C091EEE3F82A0F4D87AC380398395BE6F7A4CB77DEF
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Windows\Temp\~DFAEC3A69C455F11CF.TMP, Author: Joe Security
                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFB4CCC65F9A739C76.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):0.07674296284307157
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOCE8xjwJAUCSlSKChiVky6l51:2F0i8n0itFzDHFCTMOpL7r
                                                                                                            MD5:B0255BD77394128BBAE233B25A937663
                                                                                                            SHA1:B8CD7E28BC13D080D6FF1A1685B152919958BF60
                                                                                                            SHA-256:D6F4E730B7AEA62AC94FE63AD3430EF0279F27616C401201A709A350B42BD935
                                                                                                            SHA-512:9CB58A86868345505F8BB978C175B19C4A84EA62733D7278E298BE507524BE5483D64B80CE8A818CD27D2495EFD8450B81F321F8C164F3D28AF2AD94B43E9421
                                                                                                            Malicious:false
                                                                                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFC4F2E2A345DFD0E1.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFD4AE4BE5B4BF05DF.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFE39DB996DD48BB14.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Windows\Temp\~DFFDBE155413F5EB20.TMP

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\msiexec.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):512
                                                                                                            Entropy (8bit):0.0
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3::
                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                            Malicious:false
                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.429350398589266
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:6IqUjK9Koj.exe
                                                                                                            File size:5'620'624 bytes
                                                                                                            MD5:3dba9333737442421a8badbacb64ed28
                                                                                                            SHA1:a626ea96e79c17452389f0adde9cdd486a441a3a
                                                                                                            SHA256:2ca3ef2cdad572bcbf31b55fa293db2214df08d2bf0b266f0725e362cc26d3c6
                                                                                                            SHA512:dbcbef86b111887276a147d9c37ba6394283ee44ef180d95cd5b0fefc976067656dd2c278eb6d4dd925277bb8af23f1090dd33cc91c343e7a001594bc76d7d46
                                                                                                            SSDEEP:49152:+EEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:rEs6efPNwJ4t1h0cG5FGJRPxow8O
                                                                                                            TLSH:3746E111B3DA95B9D4BF063CD87A82699A74BC044712C7EF53D4BD2D2D32BC05A323A6
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`.....O>`.....?>`.....]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF..A>`.[l..F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`........

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4014ad
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x6377E6AC [Fri Nov 18 20:10:20 2022 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:5
                                                                                                            OS Version Minor:1
                                                                                                            File Version Major:5
                                                                                                            File Version Minor:1
                                                                                                            Subsystem Version Major:5
                                                                                                            Subsystem Version Minor:1
                                                                                                            Import Hash:9771ee6344923fa220489ab01239bdfd

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:true
                                                                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                            Signature Validation Error:The operation completed successfully
                                                                                                            Error Number:0
                                                                                                            Not Before, Not After
                                                                                                            • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                            Subject Chain
                                                                                                            • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                            Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                            Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                            Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            call 00007FB504DFFFAAh
                                                                                                            jmp 00007FB504DFFA5Fh
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            push 00000000h
                                                                                                            call dword ptr [0040D040h]
                                                                                                            push dword ptr [ebp+08h]
                                                                                                            call dword ptr [0040D03Ch]
                                                                                                            push C0000409h
                                                                                                            call dword ptr [0040D044h]
                                                                                                            push eax
                                                                                                            call dword ptr [0040D048h]
                                                                                                            pop ebp
                                                                                                            ret
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            sub esp, 00000324h
                                                                                                            push 00000017h
                                                                                                            call dword ptr [0040D04Ch]
                                                                                                            test eax, eax
                                                                                                            je 00007FB504DFFBE7h
                                                                                                            push 00000002h
                                                                                                            pop ecx
                                                                                                            int 29h
                                                                                                            mov dword ptr [004148D8h], eax
                                                                                                            mov dword ptr [004148D4h], ecx
                                                                                                            mov dword ptr [004148D0h], edx
                                                                                                            mov dword ptr [004148CCh], ebx
                                                                                                            mov dword ptr [004148C8h], esi
                                                                                                            mov dword ptr [004148C4h], edi
                                                                                                            mov word ptr [004148F0h], ss
                                                                                                            mov word ptr [004148E4h], cs
                                                                                                            mov word ptr [004148C0h], ds
                                                                                                            mov word ptr [004148BCh], es
                                                                                                            mov word ptr [004148B8h], fs
                                                                                                            mov word ptr [004148B4h], gs
                                                                                                            pushfd
                                                                                                            pop dword ptr [004148E8h]
                                                                                                            mov eax, dword ptr [ebp+00h]
                                                                                                            mov dword ptr [004148DCh], eax
                                                                                                            mov eax, dword ptr [ebp+04h]
                                                                                                            mov dword ptr [004148E0h], eax
                                                                                                            lea eax, dword ptr [ebp+08h]
                                                                                                            mov dword ptr [004148ECh], eax
                                                                                                            mov eax, dword ptr [ebp-00000324h]
                                                                                                            mov dword ptr [00414828h], 00010001h

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                                            • [IMP] VS2008 build 21022

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x129c40x50.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x533074.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x5462000x16190
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x54a0000xea8.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x11f200x70.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11e600x40.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xd0000x13c.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000xb1af0xb200d9fa6da0baf4b869720be833223490cbFalse0.6123156601123596data6.592039633797327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0xd0000x60780x62008b45a1035c0de72f910a75db7749f735False0.41549744897959184data4.786621464556291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0x140000x11e40x8001f4cc86b6735a74429c9d1feb93e2871False0.18310546875data2.265083745848167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0x160000x5330740x533200d813d73373778ed5b0a4b71b252379ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x54a0000xea80x1000a93b0f39998e1e69e5944da8c5ff06b1False0.72265625data6.301490309336801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            FILES0x163d40x86000PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.3962220149253731
                                                                                                            FILES0x9c3d40x1a4600PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.5111589431762695
                                                                                                            FILES0x2409d40x1ac00PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows0.4415066442757009
                                                                                                            FILES0x25b5d40x2ec318PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.9810924530029297
                                                                                                            FILES0x5478ec0x1600PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows0.3908025568181818
                                                                                                            RT_MANIFEST0x548eec0x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dllCorBindToRuntimeEx
                                                                                                            KERNEL32.dllGetModuleFileNameA, DecodePointer, SizeofResource, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, CreateFileW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap
                                                                                                            OLEAUT32.dllVariantInit, SafeArrayUnaccessData, SafeArrayCreateVector, SafeArrayDestroy, VariantClear, SafeArrayAccessData

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 3, 2024 16:20:05.252243042 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:05.372539997 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:05.372613907 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:06.264131069 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:06.384296894 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:06.384398937 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:07.105787039 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:07.225948095 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:07.880064964 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:07.911499977 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:08.031702995 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:08.421940088 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:08.467257977 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:08.623166084 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:08.670871973 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:09.546171904 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:09.546255112 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:20:09.666347027 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:09.666393042 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:09.666543961 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:09.666553020 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:20:09.666634083 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:21:09.670583963 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:21:09.857315063 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:22:09.858170033 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:22:09.978167057 CET80414970538.69.12.167192.168.2.5
                                                                                                            Dec 3, 2024 16:23:09.983258009 CET497058041192.168.2.538.69.12.167
                                                                                                            Dec 3, 2024 16:23:10.103347063 CET80414970538.69.12.167192.168.2.5

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 3, 2024 16:20:04.989835024 CET5825553192.168.2.51.1.1.1
                                                                                                            Dec 3, 2024 16:20:05.194204092 CET53582551.1.1.1192.168.2.5

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 3, 2024 16:20:04.989835024 CET192.168.2.51.1.1.10x844cStandard query (0)sc.connectprotocol.esA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 3, 2024 16:20:05.194204092 CET1.1.1.1192.168.2.50x844cNo error (0)sc.connectprotocol.es38.69.12.167A (IP address)IN (0x0001)false

                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:10:19:56
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Users\user\Desktop\6IqUjK9Koj.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\6IqUjK9Koj.exe"
                                                                                                            Imagebase:0xc0000
                                                                                                            File size:5'620'624 bytes
                                                                                                            MD5 hash:3DBA9333737442421A8BADBACB64ED28
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000002.2100983220.0000000005480000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000000.00000000.2074088175.00000000000D6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:10:19:57
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\ScreenConnect\24.3.7.9067\a532d472f1ff1d4e\ScreenConnect.ClientSetup.msi"
                                                                                                            Imagebase:0x120000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:10:19:57
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\System32\msiexec.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                            Imagebase:0x7ff6134a0000
                                                                                                            File size:69'632 bytes
                                                                                                            MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:10:19:57
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 546BD2874B30B156F9F5E352A2E90D60 C
                                                                                                            Imagebase:0x120000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:10:19:57
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIDA0A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6871750 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
                                                                                                            Imagebase:0x620000
                                                                                                            File size:61'440 bytes
                                                                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:10:20:01
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 61C39474868EF693AA9D13DED834CBE3
                                                                                                            Imagebase:0x120000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:10:20:02
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D6AAC5942B62E87B45915706D7C6883C E Global\MSI0000
                                                                                                            Imagebase:0x120000
                                                                                                            File size:59'904 bytes
                                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:10:20:02
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=sc.connectprotocol.es&p=8041&s=1415700e-0a5c-4e5f-b644-5b752a637a1e&k=BgIAAACkAABSU0ExAAgAAAEAAQC1kWKbpg72shug%2fcuGWQB7IuEBcyNy1kcDtCeo3N0RY4axIPh%2fFMztLn0b%2bG2MIuQOrKGq0Xsvxj7WUcZ%2bdIiMwDt7qlLgFko33osOQisFILKOBROsqmoO0CYg%2fpKva7AaAU%2bym8ZeY9OkPYj7knkvh679kRKgwWM5tfC%2fbhzztt1d5pfIewfVI67rLcAGqXh1hUDy%2bbdI6LG6r8m8lQczrbhXAZJ%2fuvXvUGXN6ZWttC7E00yJiy6fPWNioX5EJ%2fn2uX9gCWU%2bpspAIXXJhOyEHV84BHAUT0rgC1re8M9Puttx9uDjI37OpBOLw%2f5qq735uizmWAgUfhfj%2fLZeRyvQ&t=GOLDEN-TEAM-006"
                                                                                                            Imagebase:0xc60000
                                                                                                            File size:95'512 bytes
                                                                                                            MD5 hash:75B21D04C69128A7230A0998086B61AA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:10:20:03
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "51cd66e2-8e8e-4db9-96dd-23cdad723925" "User"
                                                                                                            Imagebase:0x3a0000
                                                                                                            File size:602'392 bytes
                                                                                                            MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.2147220649.00000000003A2000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.3950343300.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:10:20:06
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                            Imagebase:0x7ff7e52b0000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:10:20:07
                                                                                                            Start date:03/12/2024
                                                                                                            Path:C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files (x86)\ScreenConnect Client (a532d472f1ff1d4e)\ScreenConnect.WindowsClient.exe" "RunRole" "29ee37d5-5f9a-4773-a194-ef3bf27be104" "System"
                                                                                                            Imagebase:0xe60000
                                                                                                            File size:602'392 bytes
                                                                                                            MD5 hash:1778204A8C3BC2B8E5E4194EDBAF7135
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000B.00000002.2199446681.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 01197A30 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #!$K6$7
                                                                                                              • API String ID: 0-185628103
                                                                                                              • Opcode ID: e76953c71e4d4f3321c9e1f1998946fd279f40bc7da467e1a86a1340effc88e5
                                                                                                              • Instruction ID: 3c2f33b4949247daf6a8d11ffd9c1f567b4989cbafec7690d2d1b8a01afddc9f
                                                                                                              • Opcode Fuzzy Hash: e76953c71e4d4f3321c9e1f1998946fd279f40bc7da467e1a86a1340effc88e5
                                                                                                              • Instruction Fuzzy Hash: 646182303502114FCB09AB6EE6A496E7BDBEFC4221355C22AD015CB788EF74DC09DB81
                                                                                                              Function 01197A40 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #!$K6$7
                                                                                                              • API String ID: 0-185628103
                                                                                                              • Opcode ID: 4f45edea9e67fbfd4cc83da2e867de994a11e3fd9de28602f1fadba94897eac1
                                                                                                              • Instruction ID: 1d72a15803a9d59d324ab11379016b31eeb9fd1964048630fcb6f2bb8a7631a6
                                                                                                              • Opcode Fuzzy Hash: 4f45edea9e67fbfd4cc83da2e867de994a11e3fd9de28602f1fadba94897eac1
                                                                                                              • Instruction Fuzzy Hash: 0B5163303502115F8B19BB6EE69496E7BDBEFC4221355C626E415CB788EF74DC09DB80
                                                                                                              Function 0119D540 Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq$Haq
                                                                                                              • API String ID: 0-3785302501
                                                                                                              • Opcode ID: 6b15f306578c26cb7d515bf84f7bc2c83cabc5e912fc069c3cb76bac1963e105
                                                                                                              • Instruction ID: 043063ef55d73095bdf44a31d64f7a5c60c38335c095f0ba07ca35e0807f5e51
                                                                                                              • Opcode Fuzzy Hash: 6b15f306578c26cb7d515bf84f7bc2c83cabc5e912fc069c3cb76bac1963e105
                                                                                                              • Instruction Fuzzy Hash: 5341AD34B0024A8BCF08DEADD4946AEBBA2FFC4314F148569E919DB345DF30DD018BA1
                                                                                                              Function 01198A98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq
                                                                                                              • API String ID: 0-600464949
                                                                                                              • Opcode ID: 3a830e5e70ab93626ef6dddefb077bfae5be1a03cc72c2b6678645468a9657e5
                                                                                                              • Instruction ID: 0c43891a5c4f40c0521985023e8e6b060a0b90469b4a3a4a4bcd21936420d4ec
                                                                                                              • Opcode Fuzzy Hash: 3a830e5e70ab93626ef6dddefb077bfae5be1a03cc72c2b6678645468a9657e5
                                                                                                              • Instruction Fuzzy Hash: 59611934B106098FCB18DF69E9949AEB7F6FF8E314B1481A4E5169B365DB30EC02DB50
                                                                                                              Function 0119D078 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq
                                                                                                              • API String ID: 0-600464949
                                                                                                              • Opcode ID: 7684143a731f479db82f82ccb1263806a883c0eff59b70337512780510509272
                                                                                                              • Instruction ID: 28f755cd669778caa95f530e6a63985098dbc8149ecf7598ab39f5c3d9ac6bea
                                                                                                              • Opcode Fuzzy Hash: 7684143a731f479db82f82ccb1263806a883c0eff59b70337512780510509272
                                                                                                              • Instruction Fuzzy Hash: 5C110A7A7002018FCF19DB68E894A6A7BE2FFCD254715816DD45ACB312DF31EC028751
                                                                                                              Function 0119D088 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq
                                                                                                              • API String ID: 0-600464949
                                                                                                              • Opcode ID: 2e4963645dd80059c3e485d8b79f707f3bccc11d8939eb936fb74c7547e13c8b
                                                                                                              • Instruction ID: 0e67ca7bd8ec1bb787a0f4046842c8e978a5c6b0d4a5b069648ecc90058237a6
                                                                                                              • Opcode Fuzzy Hash: 2e4963645dd80059c3e485d8b79f707f3bccc11d8939eb936fb74c7547e13c8b
                                                                                                              • Instruction Fuzzy Hash: EA11B2763002058FCF18DB6DE854A6ABBE7FFC8220B158129E45A87311DF31EC028B50
                                                                                                              Function 0119FB20 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Te]q
                                                                                                              • API String ID: 0-52440209
                                                                                                              • Opcode ID: e63df36ef21abda84c504b28a504d4cb89892509820991a14193312611a95d63
                                                                                                              • Instruction ID: 0de7854a61bc8e4c1ae9ceaa3229fd5948139664a89beae0ec578ff3b226bb35
                                                                                                              • Opcode Fuzzy Hash: e63df36ef21abda84c504b28a504d4cb89892509820991a14193312611a95d63
                                                                                                              • Instruction Fuzzy Hash: 77F082313002146BC718EA9EE991D6BFBDFEFC9664714852DE9098B355CE72DC0683E1
                                                                                                              Function 0119BF91 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH]q
                                                                                                              • API String ID: 0-3168235125
                                                                                                              • Opcode ID: 475b2bc6973e128833d24b5eaf134254771a74dc3d0012f0d38d16527a434359
                                                                                                              • Instruction ID: 04defc939acf2f340d9dd2da56d623da2972a5e2274553e94352760cd4f26555
                                                                                                              • Opcode Fuzzy Hash: 475b2bc6973e128833d24b5eaf134254771a74dc3d0012f0d38d16527a434359
                                                                                                              • Instruction Fuzzy Hash: CDD02E7290438457CF185E28E9467223BAABB56364F3802B8A0318AAC2EA76D0038791
                                                                                                              Function 0119BFA0 Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH]q
                                                                                                              • API String ID: 0-3168235125
                                                                                                              • Opcode ID: cb1d9a6b674743e4a0b7f064b628f700b06a95e576500b3f9eeb3e3ec693ffbc
                                                                                                              • Instruction ID: d31d303b80d0200ea6bf982b281a3a2d1075e9973f223ebb237a5b6665bbd65a
                                                                                                              • Opcode Fuzzy Hash: cb1d9a6b674743e4a0b7f064b628f700b06a95e576500b3f9eeb3e3ec693ffbc
                                                                                                              • Instruction Fuzzy Hash: 09C01230A04348878F1C5E7D65559253B99BF89664B300668A5354B6C5DB72D4038BA1
                                                                                                              Function 0119DC68 Relevance: .3, Instructions: 323COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f57d28515545c350adf3018afdc3e358f17ca11841ccb282d6ba0bb4cf1ab46
                                                                                                              • Instruction ID: 89bec6d1fc0ba7e5c4e985acd916278631ba7c40dc043ca314a1509718f7184b
                                                                                                              • Opcode Fuzzy Hash: 0f57d28515545c350adf3018afdc3e358f17ca11841ccb282d6ba0bb4cf1ab46
                                                                                                              • Instruction Fuzzy Hash: 82D10835A0120ADFCF05CFA8D9808AEBBF2FF49354B248459E915A7361D731ED16CBA1
                                                                                                              Function 011941E0 Relevance: .3, Instructions: 255COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c637750ecbd2dc70d4d13c412bc1bb33c65e0408e86c538b2153b479945ccc65
                                                                                                              • Instruction ID: 3f69654f5289008824b350a4c8b7082f16786011620b04d28bc6aeca99babccb
                                                                                                              • Opcode Fuzzy Hash: c637750ecbd2dc70d4d13c412bc1bb33c65e0408e86c538b2153b479945ccc65
                                                                                                              • Instruction Fuzzy Hash: ACA17D74B002059FCB09DF69DA95A6EBBE6FF88300B148529E41ADB755DF74DC06CB80
                                                                                                              Function 011941F0 Relevance: .2, Instructions: 247COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 663c0f1b654f16d751a7eca192fb2ce41198b19e47d288971bbdd2c39a01928c
                                                                                                              • Instruction ID: e086bc9f15a13ca8c163d7e0fa5c3152e33aa24fa1aab4f8f24cee395615ad68
                                                                                                              • Opcode Fuzzy Hash: 663c0f1b654f16d751a7eca192fb2ce41198b19e47d288971bbdd2c39a01928c
                                                                                                              • Instruction Fuzzy Hash: EC917E74B002059FCB09DF69DA95A6EBBE6FF88300B108529E419DB759DF74DC06CB80
                                                                                                              Function 0119576A Relevance: .2, Instructions: 245COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7673b477802d5ebf6d3b563c45a753e1a176e8d61d1aa810033b8f467d9481bf
                                                                                                              • Instruction ID: 529d07199cbd02fb1f16162de78b1d870bc6c2cfa989686775015e0e05f141cb
                                                                                                              • Opcode Fuzzy Hash: 7673b477802d5ebf6d3b563c45a753e1a176e8d61d1aa810033b8f467d9481bf
                                                                                                              • Instruction Fuzzy Hash: 0171467284E3C14FDF8F566A5C642A83F7A8E23115B5900E7C2A4EF267E304850AD3B2
                                                                                                              Function 01195EE0 Relevance: .2, Instructions: 220COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 139709aa980a381f0d731eb6072bd04328415867c623e7dbd9294ffeb8f9b6e6
                                                                                                              • Instruction ID: 87143308fcffd8a49816abd01065c4ef0aee12134598203c6e6f368d11518c45
                                                                                                              • Opcode Fuzzy Hash: 139709aa980a381f0d731eb6072bd04328415867c623e7dbd9294ffeb8f9b6e6
                                                                                                              • Instruction Fuzzy Hash: 7D917E30A403098FCF19DF69D5949AEBBF6FF84310B148629E815AF359DB719806CF90
                                                                                                              Function 01196E68 Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 21533204470c36d21f3ad0c139cb48e570118014ab23d1da0ed241da4130310e
                                                                                                              • Instruction ID: 0a6049902eb303d75e4addec946a34793ad5d8cc9511e11339129ebaee808e51
                                                                                                              • Opcode Fuzzy Hash: 21533204470c36d21f3ad0c139cb48e570118014ab23d1da0ed241da4130310e
                                                                                                              • Instruction Fuzzy Hash: B461B131B002058FCB09DF69C8944AEBBF6FF992107698669E51ADB351DB31EC05CB61
                                                                                                              Function 011964B9 Relevance: .2, Instructions: 157COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc81e8e400f6f821c865b6084cc4f121c56042c58a5b1eb1a2e7c40ebd1f69bc
                                                                                                              • Instruction ID: 3728889a4d3039e15d7cda3cdb8e5a7316d6429b310502d22a9c968d805db86c
                                                                                                              • Opcode Fuzzy Hash: cc81e8e400f6f821c865b6084cc4f121c56042c58a5b1eb1a2e7c40ebd1f69bc
                                                                                                              • Instruction Fuzzy Hash: 6D511B75A10619CFCB44CFA9C88499DBBF6FF8A700B25456AE505EF321DBB1AD05CB80
                                                                                                              Function 01196DBF Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 721dc6f1f5f594e38243ff3fce39b20313a8743c382ec9ca4e82e4c181680a26
                                                                                                              • Instruction ID: 2676ea9b4d0ec7bb70b560427c698653fce9e1d261b9052c11c2af67ddc5cbf1
                                                                                                              • Opcode Fuzzy Hash: 721dc6f1f5f594e38243ff3fce39b20313a8743c382ec9ca4e82e4c181680a26
                                                                                                              • Instruction Fuzzy Hash: 9C5119316483804FCB06DF38D8A449ABFF5EF96210B4985AFD595CB366DB70AC05C7A2
                                                                                                              Function 01198DA8 Relevance: .1, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c4e7f2c10a891f1f4e8fd80c6dbc9886af4b82fec6f174e0c686025d07e2cda1
                                                                                                              • Instruction ID: 2e625acaada788b30d1d9a2cbc0682b1f2e747c911ae0397b5afb0a6bd4bf78f
                                                                                                              • Opcode Fuzzy Hash: c4e7f2c10a891f1f4e8fd80c6dbc9886af4b82fec6f174e0c686025d07e2cda1
                                                                                                              • Instruction Fuzzy Hash: 4B513F30600215CFDF1CDF29D494A667BB6EF8A351B0051A8E9259F3A9D730E812CF91
                                                                                                              Function 0119DAD8 Relevance: .1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 478458c274c812cba67af44f83a4fbf642fecbb53aec0c6aea5abfae455e3e8d
                                                                                                              • Instruction ID: a749bb9eb48631f16b7ee59db918f690c8173607d45607929f6af6975161f282
                                                                                                              • Opcode Fuzzy Hash: 478458c274c812cba67af44f83a4fbf642fecbb53aec0c6aea5abfae455e3e8d
                                                                                                              • Instruction Fuzzy Hash: 08411634B00205DFDF08DF9DE980A6A7BF6EFCD214B548099E9168B325DB31DD029B61
                                                                                                              Function 0119E5E8 Relevance: .1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 712e4c07411a34fae8139c59b8c6a8282764c389dfb6ded3dfc3fa560f15cdf7
                                                                                                              • Instruction ID: 3a73551a741a420283ed0436d96a4a81bec7cece38d6280935429d49d0666ed1
                                                                                                              • Opcode Fuzzy Hash: 712e4c07411a34fae8139c59b8c6a8282764c389dfb6ded3dfc3fa560f15cdf7
                                                                                                              • Instruction Fuzzy Hash: DC413D306001018FDF1DDF29D8D865A7BB2FF89355B0485A9D8219F2AADB30E952CFD1
                                                                                                              Function 01194CA8 Relevance: .1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c38c1c7139de28195d6658f4b9832c003e97726804e7e7a27baed68287870bb1
                                                                                                              • Instruction ID: 305d0014e7297c302044fefdd09432addd23b0cd83c77281f388e957be1740c2
                                                                                                              • Opcode Fuzzy Hash: c38c1c7139de28195d6658f4b9832c003e97726804e7e7a27baed68287870bb1
                                                                                                              • Instruction Fuzzy Hash: 9B319C34B1020A8FDF18DF69C1986AEBBF6EF99250F004469E516E7794DB70DC028B91
                                                                                                              Function 0119624F Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 71d97f81b5926f2ffeb6b7e7faecab2b46cf145b67018206d200ad4c929c6846
                                                                                                              • Instruction ID: 051c1f605b37b1bf5cb431feef9c010f032c180ae30fe487ec60a29fdf004c57
                                                                                                              • Opcode Fuzzy Hash: 71d97f81b5926f2ffeb6b7e7faecab2b46cf145b67018206d200ad4c929c6846
                                                                                                              • Instruction Fuzzy Hash: 6841BC30A503099FCB05EFB4E940BDDB7B6FF88304F208A18E1056B694DB75A985CB80
                                                                                                              Function 0119B9B0 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 358f13b514a7be11b18534d6822ffa31851c11cef81c19507cb654fda691e2fb
                                                                                                              • Instruction ID: a14789909329e5ccae24da07c18f065f32e2d69751934574f894d8c86e4bc998
                                                                                                              • Opcode Fuzzy Hash: 358f13b514a7be11b18534d6822ffa31851c11cef81c19507cb654fda691e2fb
                                                                                                              • Instruction Fuzzy Hash: 8A3136313582514FCB0AB77DA9608AE3FAADFC6210345817AC018CB756EF249C0AD7D5
                                                                                                              Function 01190A10 Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 669ec350f6152aa0d92c99577fe0b7d34c704a9e8aec227afdbf769f5cf67249
                                                                                                              • Instruction ID: a471e4d06a3b623f402bb07a861d7474c9f8544ecd6f3135ea137983c35ffcf0
                                                                                                              • Opcode Fuzzy Hash: 669ec350f6152aa0d92c99577fe0b7d34c704a9e8aec227afdbf769f5cf67249
                                                                                                              • Instruction Fuzzy Hash: 64417174E012199FDB58DFAAD940AEEBBF6BF88300F14812AE815B7354DB345942CF50
                                                                                                              Function 01199140 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 672036e9b8c0aac6e5f5a67bdabd01f64b62c2262396f3ceefe5e72b79c84752
                                                                                                              • Instruction ID: 683430b5c8d2c7e1cc69cc59ceb5cf6f723aef958ac2d8a52459aa993681ae3a
                                                                                                              • Opcode Fuzzy Hash: 672036e9b8c0aac6e5f5a67bdabd01f64b62c2262396f3ceefe5e72b79c84752
                                                                                                              • Instruction Fuzzy Hash: A6313B70A007058FCB38CF2AC84865AB7F6BF89364B104A6CD466DB7A5D730E946CF90
                                                                                                              Function 01197158 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 79b8656b9187b04bbfb3e38b381ce9777501c7b45cbfd19d08a8573b9d0a6a1e
                                                                                                              • Instruction ID: 38d959841b2fa8c05682157770cff5eba55a4e7186bc6d7f27381ffe9e9b1278
                                                                                                              • Opcode Fuzzy Hash: 79b8656b9187b04bbfb3e38b381ce9777501c7b45cbfd19d08a8573b9d0a6a1e
                                                                                                              • Instruction Fuzzy Hash: BF312D30B202058FDB18DF68C555AAABBF2EF8A650F1484A9E816EB394DB31DD01CF55
                                                                                                              Function 01198FC0 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3202a84447c01d40b21600dc6b6bd53d674fe32abba67758a3aac562b0679867
                                                                                                              • Instruction ID: f1bed53d45993bae115e9df3747d960cca50cea3269e1f1a4c567d1e9d8662d0
                                                                                                              • Opcode Fuzzy Hash: 3202a84447c01d40b21600dc6b6bd53d674fe32abba67758a3aac562b0679867
                                                                                                              • Instruction Fuzzy Hash: 34314C70A007058FCB38CF2AC84465AB7F5EF89324B144A2CD5A6DB7A5D731E946CF91
                                                                                                              Function 0119B9E8 Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c3493344a16b45d3f20ff3530fd1ba7f788eae76e982d8379765ebcbbf53c9ec
                                                                                                              • Instruction ID: 0854a00e666b7046377d0988d5afdf780ffa8fd921cdeae64cafb4c2b452f93d
                                                                                                              • Opcode Fuzzy Hash: c3493344a16b45d3f20ff3530fd1ba7f788eae76e982d8379765ebcbbf53c9ec
                                                                                                              • Instruction Fuzzy Hash: A621B3313802124F8B09F66EA69096E7ADBEFD46157908639D019CB748EF74DC0697D0
                                                                                                              Function 01196E40 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 733ee8a8a001a50a12fcfecd664e4e7e71bd332044f46221a6ceddb58cb27762
                                                                                                              • Instruction ID: 3bf69b03186b324d1ddcf8563fc654d7c330dd677f4e957b8dc3c90d6e0e022b
                                                                                                              • Opcode Fuzzy Hash: 733ee8a8a001a50a12fcfecd664e4e7e71bd332044f46221a6ceddb58cb27762
                                                                                                              • Instruction Fuzzy Hash: 5E2103317042048FCB05EB38D8A48AEBFE6EFD521075881AAE5059B356DF30AC04CBA2
                                                                                                              Function 01197168 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 33a825ad46ed6ca2907afe4ce9897f1fda3ccaee908c9fc8044b90d71455421a
                                                                                                              • Instruction ID: de887b41659e44ab04b95c5efa6f42ca00c6a68cde93a80227054c4ac86f93db
                                                                                                              • Opcode Fuzzy Hash: 33a825ad46ed6ca2907afe4ce9897f1fda3ccaee908c9fc8044b90d71455421a
                                                                                                              • Instruction Fuzzy Hash: EB212B30B202058FDB18DF68C554AAABBF6EF89750F2484A9E816E7394DB31ED01CB50
                                                                                                              Function 011992B8 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5a008cfabfab167993f6c827ef9b5b14a56659a631ccff2c61890c1fa14bf107
                                                                                                              • Instruction ID: ec14b864027192d99c7038c953cc074239118c8e83f36a392cc2229a19ea46ce
                                                                                                              • Opcode Fuzzy Hash: 5a008cfabfab167993f6c827ef9b5b14a56659a631ccff2c61890c1fa14bf107
                                                                                                              • Instruction Fuzzy Hash: 6D218930A097098BDB38CF39D94466ABBF5AF88354B040A2CD466C72D4DB30EA04CB91
                                                                                                              Function 011953A2 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7639faf4f5e19c0f70a241ee869af475a1839db430380d55f3cf674faf3e8b7
                                                                                                              • Instruction ID: 0a8eb70f570e2f6e7e107205cbad554f0939545201a1f37cc10bd5e87b7ff9ef
                                                                                                              • Opcode Fuzzy Hash: a7639faf4f5e19c0f70a241ee869af475a1839db430380d55f3cf674faf3e8b7
                                                                                                              • Instruction Fuzzy Hash: 12210631A042458FDF5B8F68D88078A7F76EF09361F0940A7D920EB196DB31E845CBA1
                                                                                                              Function 011953C8 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5fd92a1d090db296be67aac171033ca26ec055d88310821a161b6ed924c88d89
                                                                                                              • Instruction ID: e751d37c7d11a447dc6b79c60c1c74ff5213e72a9d9dc8d71a053ef2b2cbf075
                                                                                                              • Opcode Fuzzy Hash: 5fd92a1d090db296be67aac171033ca26ec055d88310821a161b6ed924c88d89
                                                                                                              • Instruction Fuzzy Hash: 7821B230600101CFDFADCF28E9C4A9A7F76EF48361B044166D925AF2D9EB71D851CBA1
                                                                                                              Function 01190A00 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0651b36b073e6e38a38cf9067ea8a5653e595d43f553f470a8fb23b42a665f63
                                                                                                              • Instruction ID: bd275b23fc2ad096ee814d408d638bd9fcca27e99b22d0bcbf54f8cd98099dd2
                                                                                                              • Opcode Fuzzy Hash: 0651b36b073e6e38a38cf9067ea8a5653e595d43f553f470a8fb23b42a665f63
                                                                                                              • Instruction Fuzzy Hash: 8421E374E042188FDB19CFAAC9446EEBBF2AF89300F04C16AE419B7264DB745946CF50
                                                                                                              Function 011989C0 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0425383d185b1c6ba2331d29b6f3c8cb54badd364a3469424b0781876ac51ba6
                                                                                                              • Instruction ID: 272b15975bcae9689b7d1f92b01b0fe229d8edb42c380ea440661595cdb3477b
                                                                                                              • Opcode Fuzzy Hash: 0425383d185b1c6ba2331d29b6f3c8cb54badd364a3469424b0781876ac51ba6
                                                                                                              • Instruction Fuzzy Hash: 07213B347002058BCF08DF6ED99495EFBE6EF85260355C56AE819CB35AEB31EC048791
                                                                                                              Function 0119897F Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b8ff22250e00b34c5353711d2ef2163b58ef2cea11436a9f54b3fe1648e51c21
                                                                                                              • Instruction ID: 53866ed7b4bfe81369be51e6fc2e2df8dfc3c7385577ce5852e67202c018bc76
                                                                                                              • Opcode Fuzzy Hash: b8ff22250e00b34c5353711d2ef2163b58ef2cea11436a9f54b3fe1648e51c21
                                                                                                              • Instruction Fuzzy Hash: 671159357002058B8F08DE2DD4949AAFBE6EF96250345C56AE85ACF36AEB34DC05CB51
                                                                                                              Function 01194E70 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f3cf8f49488a3cd6b801e8bcb5afcc9a19bc0ead4dc0202c159bb28bb7b9172
                                                                                                              • Instruction ID: 605972eca6c371975422d5009ebcbb1212d962e564773d5a8a4fb83cfcbe8067
                                                                                                              • Opcode Fuzzy Hash: 9f3cf8f49488a3cd6b801e8bcb5afcc9a19bc0ead4dc0202c159bb28bb7b9172
                                                                                                              • Instruction Fuzzy Hash: 902153306007018FDB39CF29D948656BBF5EF48350B008B2CE56297AA4DB71E94ACF81
                                                                                                              Function 011989D0 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 586f20dd9b5a0055e3407bc95aeb7786991fe493fdceecbe8078e4a9e04faab1
                                                                                                              • Instruction ID: 1450fa41981d1314fd3ca41e7c2d9468d9298265fcd697e2b0f05d175d3d8d4d
                                                                                                              • Opcode Fuzzy Hash: 586f20dd9b5a0055e3407bc95aeb7786991fe493fdceecbe8078e4a9e04faab1
                                                                                                              • Instruction Fuzzy Hash: 2A114C347002058B8F08DF6ED58495EFBE6EF89260754C53AE81ACF359EB30ED058B90
                                                                                                              Function 0119D531 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c711ceb8de1272d541bbf277b384900fe7a2055d02b594b5711d9f67f142a409
                                                                                                              • Instruction ID: 5ed9725e029c12eabc0b40c5a34e93ee96a2af2344b2a06a0bbd5f1539bce2c8
                                                                                                              • Opcode Fuzzy Hash: c711ceb8de1272d541bbf277b384900fe7a2055d02b594b5711d9f67f142a409
                                                                                                              • Instruction Fuzzy Hash: 7D11A3306002459BDF1ACEA9E884E9EBFF5FF84314F04852AE928C7205D730E950CBE1
                                                                                                              Function 01190839 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3d3567b704ddcec8cca02861e4a713695da8cc7356f20a9412e855c665e8c2f5
                                                                                                              • Instruction ID: 8cd86b03bd5c840fc7fa806202a77caf3dd89b5dda06f0eeccbdf7242dfbeea9
                                                                                                              • Opcode Fuzzy Hash: 3d3567b704ddcec8cca02861e4a713695da8cc7356f20a9412e855c665e8c2f5
                                                                                                              • Instruction Fuzzy Hash: 6F1134B4E0020ADFCB04DFA8D4959AEBBB1FF89300F11846AE915EB351DB34A905CF61
                                                                                                              Function 01190848 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: daf6384d8d9594eb0cda6ffd272b157dbf2eb44d7286348042a484c5df5d8057
                                                                                                              • Instruction ID: d307e849dcd4b10ab18eaff7f46ca1d372b0d5ab7c60f34d8499fa70e03bc04c
                                                                                                              • Opcode Fuzzy Hash: daf6384d8d9594eb0cda6ffd272b157dbf2eb44d7286348042a484c5df5d8057
                                                                                                              • Instruction Fuzzy Hash: 941106B4E0020A9FCB04DFA9D5559AEBBF5FF89200F118469E918A7350DB35A901CFA1
                                                                                                              Function 0119D505 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c01b7a35125efbe76e1a1537d0969cac7d9c932e22eaba22e597289f7fa677c6
                                                                                                              • Instruction ID: 516eaa152a8a389e046561ff8b4d95c354ad77cd7eee2bfdecae3cc8f196a6f5
                                                                                                              • Opcode Fuzzy Hash: c01b7a35125efbe76e1a1537d0969cac7d9c932e22eaba22e597289f7fa677c6
                                                                                                              • Instruction Fuzzy Hash: 82012D30A046455BEF0DDFECA8C859E7BF5EF82268F488056E579CB186D730C4038750
                                                                                                              Function 010ED006 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2085951459.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10ed000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4e801917e8d51862dbd4aea6cfd6ca95b8e2a986a5a53b74ecbfbcccc60fa012
                                                                                                              • Instruction ID: ee1b739d939b383e7a4eedbb3ae21afdc68342ffc8e1dbb80cd8b31dbf28c5ec
                                                                                                              • Opcode Fuzzy Hash: 4e801917e8d51862dbd4aea6cfd6ca95b8e2a986a5a53b74ecbfbcccc60fa012
                                                                                                              • Instruction Fuzzy Hash: F701407100E3C09FD7128B258894B52BFF4EF53224F1D81DBE9888F1A3C2695844C772
                                                                                                              Function 010ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2085951459.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_10ed000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 94d15ad382855792afb7551944848acaeb346eb5363d9a4b5cdb58a492536491
                                                                                                              • Instruction ID: b05677fbd3fb8199e8eec639ab680f32a46ac8ec19351ddd300ffb511e6a5435
                                                                                                              • Opcode Fuzzy Hash: 94d15ad382855792afb7551944848acaeb346eb5363d9a4b5cdb58a492536491
                                                                                                              • Instruction Fuzzy Hash: FF01F7310053009EE7209A5AC988B67FFD8EF863A0F1CC46AFD980A286C2799801C7B1
                                                                                                              Function 0119BEB1 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 45c721c8e4373a7e908a40f73f61130def70ef30223b635bca3625561c934ff9
                                                                                                              • Instruction ID: 109e6097903569cc81519e7a7763752fdfe9e5be5b6b1ece070454e712ab46e1
                                                                                                              • Opcode Fuzzy Hash: 45c721c8e4373a7e908a40f73f61130def70ef30223b635bca3625561c934ff9
                                                                                                              • Instruction Fuzzy Hash: 0001D270D082458FCF28CF6C9805E9E7FB4AF05224F254699D270DB292D331A5028F96
                                                                                                              Function 011918C8 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63bebd097582f8d527472e373e40abc385e88c23c461ca098154d3bbddd2f13f
                                                                                                              • Instruction ID: 80592db4fe2f41f040ffaba2a7b0d23064663a01723920820e53f9d1e742cb64
                                                                                                              • Opcode Fuzzy Hash: 63bebd097582f8d527472e373e40abc385e88c23c461ca098154d3bbddd2f13f
                                                                                                              • Instruction Fuzzy Hash: 6AF0F6343001424FCB379B2CA5246DE3BA5EFC5224304842ED4DD8BB05EF289804CBC1
                                                                                                              Function 0119BF29 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 20f17e5f1656adfbda8ad8c48fce915735c0ce370c193418ab024412f4c7cd28
                                                                                                              • Instruction ID: 40fa8ba553cce6d25e6f85d75a27d76a54b387202b2a8c27df391c3fd8ed1f7f
                                                                                                              • Opcode Fuzzy Hash: 20f17e5f1656adfbda8ad8c48fce915735c0ce370c193418ab024412f4c7cd28
                                                                                                              • Instruction Fuzzy Hash: 9301A430D0828A9BCF19CF7CD444EAEBFB0AB06224F244699E135D7292D7729141CF87
                                                                                                              Function 011918D8 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36f835c15f8905a1a27414c2a2f91f39758d31b88923d4b43113e0a529336708
                                                                                                              • Instruction ID: 107e2333f6a84119c7ada0fbff0056745b4650e16757365acdf47a9e46737ab4
                                                                                                              • Opcode Fuzzy Hash: 36f835c15f8905a1a27414c2a2f91f39758d31b88923d4b43113e0a529336708
                                                                                                              • Instruction Fuzzy Hash: EBF0A7353006025B8B2BAA2DF52459E7BDAFBC8264300802DD5DDC7B04EF24E8048BD1
                                                                                                              Function 0119BEC0 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2fe9c6aa72c78add6d015a0a9514b764aea60c9a75b32e49fbb55b59ded7761c
                                                                                                              • Instruction ID: 333047492a73db0cbeb7936b26e89c0e4b70fa7c44e6b15674191ddf79ff0793
                                                                                                              • Opcode Fuzzy Hash: 2fe9c6aa72c78add6d015a0a9514b764aea60c9a75b32e49fbb55b59ded7761c
                                                                                                              • Instruction Fuzzy Hash: B1F06770D0420A9FCF68DFACD845A6EBBB0BB09220F204A69E528E3291D37085408F96
                                                                                                              Function 0119D708 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 486604a26c85a28ac8e431bb22b20a40928c20a7f75945331e80a96961917ddc
                                                                                                              • Instruction ID: b8e04a914c4835d5a9f7c2cc5fc43b53f69161ece0e21673d7835baf95a97e66
                                                                                                              • Opcode Fuzzy Hash: 486604a26c85a28ac8e431bb22b20a40928c20a7f75945331e80a96961917ddc
                                                                                                              • Instruction Fuzzy Hash: 1FF01C30E447889FCF4ADBB8E8555ACBFB1AB85214B1045EAD419DB322EA345A45CB41
                                                                                                              Function 0119BF38 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dff2d25f4ff2fdd7e4cc9bdd3c7c35c2c1b0d0c1024b92eaf2681c5ef51982fc
                                                                                                              • Instruction ID: 153f2eef243b64a91962e26562b47a1e82a829d68d3fba6bd09ac1bdb7662a3f
                                                                                                              • Opcode Fuzzy Hash: dff2d25f4ff2fdd7e4cc9bdd3c7c35c2c1b0d0c1024b92eaf2681c5ef51982fc
                                                                                                              • Instruction Fuzzy Hash: C2F01C70D08219DFCF54DFACE545AAEBFF0AB08210F60469AE529E3291D77186408FC6
                                                                                                              Function 01190E70 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 105f2324856c4a4e3d4dc99f65537a8a447f1b585d1d6927c693a340f6b0f527
                                                                                                              • Instruction ID: 281db040b517843c922100aa4e5c4da8db67526b813b4ae425b825c2d7f17ba4
                                                                                                              • Opcode Fuzzy Hash: 105f2324856c4a4e3d4dc99f65537a8a447f1b585d1d6927c693a340f6b0f527
                                                                                                              • Instruction Fuzzy Hash: 62E0DF74904248EFCB11EF78E9666EDBFB5EB9620071141AAD889DB211DA310E04DBA1
                                                                                                              Function 01195910 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d8d57af556563199774f6a687c11a11ee31bda945a16218f0e6b20cb2b1ffe18
                                                                                                              • Instruction ID: 452d6051440857998874c7c808107d35e8cf501a711b507f7516d34a62ca9c51
                                                                                                              • Opcode Fuzzy Hash: d8d57af556563199774f6a687c11a11ee31bda945a16218f0e6b20cb2b1ffe18
                                                                                                              • Instruction Fuzzy Hash: B3E0D870945248FFCB46DB68E94055DBFB5EF4710470440AAE404EB216E6311F009752
                                                                                                              Function 0119597C Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a9de42201d45d9ed7aa02058270b75e6c396f9a3276e71d40a2dff6380368857
                                                                                                              • Instruction ID: 16fbf8cee7c2258a7f948876797b5e62867d9d122dc303018510187901ce47db
                                                                                                              • Opcode Fuzzy Hash: a9de42201d45d9ed7aa02058270b75e6c396f9a3276e71d40a2dff6380368857
                                                                                                              • Instruction Fuzzy Hash: 13E07D63DC80C8DFDB0A976C5D915B03FA9C83360974D01C6D418DB126F326D50AE391
                                                                                                              Function 0119D718 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac52c39a03633cc082409bb22ee1bd840480c469eb28ffd57a3003c8297ea1ff
                                                                                                              • Instruction ID: 1a8b9f936e969871cf65269991d78ac7f95f571f6e093f495dabc3109c4d36ea
                                                                                                              • Opcode Fuzzy Hash: ac52c39a03633cc082409bb22ee1bd840480c469eb28ffd57a3003c8297ea1ff
                                                                                                              • Instruction Fuzzy Hash: AEE09A74E0430CAFCB44DFA8E54559DBFB5AF44300F0085A9D40997354EA345A05CF81
                                                                                                              Function 01190E80 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4adcc2c78f16b223b2d79b1483015a4a3906c1d082fafb953b6f01b4130fb7a0
                                                                                                              • Instruction ID: e3d87c34972925e0adf7355150bacf2689a94f13fd1448ad11aa19fb92793b8d
                                                                                                              • Opcode Fuzzy Hash: 4adcc2c78f16b223b2d79b1483015a4a3906c1d082fafb953b6f01b4130fb7a0
                                                                                                              • Instruction Fuzzy Hash: 83D05E30A0020CEFCB40EFA8EA01A9EBBF9EB44204B1151ACD849E7704EA316F009BD0
                                                                                                              Function 0119D6E0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c167f6bfdda68cfd234ae7da2eb85c17cb4dc14668922f63760dbbe97d03d73
                                                                                                              • Instruction ID: 7d62aabb740c37119d0d454ea69ddfd4db19db10fc25d252a2e545a01f20189d
                                                                                                              • Opcode Fuzzy Hash: 9c167f6bfdda68cfd234ae7da2eb85c17cb4dc14668922f63760dbbe97d03d73
                                                                                                              • Instruction Fuzzy Hash: A4D0A921949F880FCF17CBA4EA021687F20DD93210B140AD7D4AD8F323EA2A9C9083D2
                                                                                                              Function 01195920 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fba8123f67d449171e2e970cb5d45df52c23733d903f5d797de583f3398ab578
                                                                                                              • Instruction ID: a001efb7116b066fb0932da91557c588466f24a27e3671eeb4b6459655ef843f
                                                                                                              • Opcode Fuzzy Hash: fba8123f67d449171e2e970cb5d45df52c23733d903f5d797de583f3398ab578
                                                                                                              • Instruction Fuzzy Hash: FAD05B3094110CFFCB00EFA5EA4156DBBF9EB55605B1045B9D408D7204DA325F009790
                                                                                                              Function 01199D70 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c75b2460d15ad58188b9516f130e96ffbd05e2893143a70afcc2bd2f8e9edbf5
                                                                                                              • Instruction ID: 0a5594a0d1f6494e4045afd7cd9123e56cca464b89a7f5db1161389be1b62f57
                                                                                                              • Opcode Fuzzy Hash: c75b2460d15ad58188b9516f130e96ffbd05e2893143a70afcc2bd2f8e9edbf5
                                                                                                              • Instruction Fuzzy Hash: DBE02B516093C04FCF07562984113E9BFB0AF93328B0C02E9C0F44F6E3C711580AE361
                                                                                                              Function 01199D98 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5f30c2bdf632c2550345f8de4c1f479e328dc4579aeef85bb235a906326034fb
                                                                                                              • Instruction ID: fa7bc57c9c6d443d1b6b73bd72b5f057cfb4e5da1213443017518d11ddcbd949
                                                                                                              • Opcode Fuzzy Hash: 5f30c2bdf632c2550345f8de4c1f479e328dc4579aeef85bb235a906326034fb
                                                                                                              • Instruction Fuzzy Hash: ECC0123115D3464FC7027B64B955C083F35D95122535147B2A428864F7C6284A58F365
                                                                                                              Function 0119D6F0 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f8c026fc01bd36a4edc429c791dbf947df7e594195a4de1b3ed0f0c303baaf66
                                                                                                              • Instruction ID: f20cb4aa20cc7514c28073ab89714ffbcaf638a3f9660a7aa76e52c23cd2b014
                                                                                                              • Opcode Fuzzy Hash: f8c026fc01bd36a4edc429c791dbf947df7e594195a4de1b3ed0f0c303baaf66
                                                                                                              • Instruction Fuzzy Hash: 9EB0927094530CAF8620DA99A90285ABBACDA0A210B0005D9EA098B320D972A91056D1
                                                                                                              Function 01199DA8 Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2086274523.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1190000_6IqUjK9Koj.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2237f0db58b7aad796f553da0bb957470277abd38e931bea387d4f4d6f2265d0
                                                                                                              • Instruction ID: 0925a51c28ed5f456a228c57ff73b00327ee97657e584be18518cab0b5fde800
                                                                                                              • Opcode Fuzzy Hash: 2237f0db58b7aad796f553da0bb957470277abd38e931bea387d4f4d6f2265d0
                                                                                                              • Instruction Fuzzy Hash: 49B012310A470E8FC6007B55F506D183B6DE98030A7405130B50D068399F6869489688

                                                                                                              Executed Functions

                                                                                                              Function 04CE1630 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $]q$$]q
                                                                                                              • API String ID: 0-127220927
                                                                                                              • Opcode ID: 6a9bfb44e4d66b1bd784990bed6ddd2840cce17a267d6405e379aefa4c07db75
                                                                                                              • Instruction ID: 028eaf771fbe1114f9f0b446a5b594528a2a2c4cbac433d96b022397b3867d7c
                                                                                                              • Opcode Fuzzy Hash: 6a9bfb44e4d66b1bd784990bed6ddd2840cce17a267d6405e379aefa4c07db75
                                                                                                              • Instruction Fuzzy Hash: 5451BC75B002099FDB15DF7AD8506AEBBB6EFC8350B18812AE819D7364DF30AD12C791
                                                                                                              Function 04CE28B4 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq$LR]q
                                                                                                              • API String ID: 0-67906209
                                                                                                              • Opcode ID: 166ff057d419196fc838c85577a1698440948d2eec445ecabca4d78d86de3e92
                                                                                                              • Instruction ID: 20bc627ed85ed6973e1189aa1b9e78dd0f955bf2dfd4263876295c5cfd3e024e
                                                                                                              • Opcode Fuzzy Hash: 166ff057d419196fc838c85577a1698440948d2eec445ecabca4d78d86de3e92
                                                                                                              • Instruction Fuzzy Hash: 07412235B042255FEB099F3A985477E3BABEFC6205F0444A9E502D73A5DF38ED068391
                                                                                                              Function 04CE50D0 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $]q$$]q
                                                                                                              • API String ID: 0-127220927
                                                                                                              • Opcode ID: e2d20741355b9dfa447ef9a671437c6cb97223e7b341d32818a617fcb6c6bc77
                                                                                                              • Instruction ID: 533d3269669b3d965465fe3d8bfebb7ce1ce753a602daf01988d94f43085f6e8
                                                                                                              • Opcode Fuzzy Hash: e2d20741355b9dfa447ef9a671437c6cb97223e7b341d32818a617fcb6c6bc77
                                                                                                              • Instruction Fuzzy Hash: DE314F34A10209EFDB199FA6D8547BE7AB6FF88708F148429D802AB355DF75A841CB90
                                                                                                              Function 04CE6508 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR]q
                                                                                                              • API String ID: 0-3081347316
                                                                                                              • Opcode ID: c6daac198d6367186cb0f5467ecd5d590eddb6ff7634b947c1e82cf4d955842d
                                                                                                              • Instruction ID: 59769f4e1e508c1a1977c2995689169e1740819744bad78734fce10bbe067146
                                                                                                              • Opcode Fuzzy Hash: c6daac198d6367186cb0f5467ecd5d590eddb6ff7634b947c1e82cf4d955842d
                                                                                                              • Instruction Fuzzy Hash: 4391CE34B20215DFDB249F66D858BBEBBB2FF94708F148569E4069B380DB34AD45CB80
                                                                                                              Function 04CE1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq
                                                                                                              • API String ID: 0-600464949
                                                                                                              • Opcode ID: 2b66eb2bf4ed3aa487e631f2b4c3fc954a78965ee6187f0bc969f77c490389e0
                                                                                                              • Instruction ID: 2eb791e39510d1cfbc7a00fa586772046126ae1e6ba2105d6e1e1d03e49bce62
                                                                                                              • Opcode Fuzzy Hash: 2b66eb2bf4ed3aa487e631f2b4c3fc954a78965ee6187f0bc969f77c490389e0
                                                                                                              • Instruction Fuzzy Hash: E471C435B002149FEB149BB6C8546BEB6A7BFC8310F188029E506EB3A4DF75ED12D791
                                                                                                              Function 04CE0C1C Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq
                                                                                                              • API String ID: 0-600464949
                                                                                                              • Opcode ID: afbf0885c70d5153299b4515ef80fb76b2c5076c4252e03e3964dd2de3e5803b
                                                                                                              • Instruction ID: baddb248fddb332d8b8f5c661f7d3563b90fb01dccfaa2a55814965687049645
                                                                                                              • Opcode Fuzzy Hash: afbf0885c70d5153299b4515ef80fb76b2c5076c4252e03e3964dd2de3e5803b
                                                                                                              • Instruction Fuzzy Hash: B151DD34B04245AFEB099B6A98647BE7BB3EBC9310F18406AD406E7291CF386D06D790
                                                                                                              Function 04CE2878 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR]q
                                                                                                              • API String ID: 0-3081347316
                                                                                                              • Opcode ID: be80cb0b951917f55867c051d35df67e5569039d18ffa3a6c6a1e959ccc11b6a
                                                                                                              • Instruction ID: 1b8c1576045c33ea192539b83242cec131540a8158405d2b05a16d282c89077a
                                                                                                              • Opcode Fuzzy Hash: be80cb0b951917f55867c051d35df67e5569039d18ffa3a6c6a1e959ccc11b6a
                                                                                                              • Instruction Fuzzy Hash: 77312B31B042655FDB059B3A88607BE3BAFAFC2215F0441AAD146C71E5EB74DE04C395
                                                                                                              Function 04CE50BF Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $]q
                                                                                                              • API String ID: 0-1007455737
                                                                                                              • Opcode ID: a642aa961bba00f92b840bb446259c7b8d5e6eb145da451f09518b144488fa2d
                                                                                                              • Instruction ID: 65100abb72cbbc01b5f5100a50440f36252f01fb3ef69465c25b29cd7ad269f2
                                                                                                              • Opcode Fuzzy Hash: a642aa961bba00f92b840bb446259c7b8d5e6eb145da451f09518b144488fa2d
                                                                                                              • Instruction Fuzzy Hash: D9418339B00205EBEB189FA6D8547BD77B2FF8870CF148426D802AB355DB35A846DB90
                                                                                                              Function 04CE2D60 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR]q
                                                                                                              • API String ID: 0-3081347316
                                                                                                              • Opcode ID: d31b7941f1a64f93edddc355093b66105512852746af29c49718b2f0e049a8e6
                                                                                                              • Instruction ID: 42e3b72884134c6a29b5413d74c71f514b90aaf762dfd9f966fb22c3429c52e1
                                                                                                              • Opcode Fuzzy Hash: d31b7941f1a64f93edddc355093b66105512852746af29c49718b2f0e049a8e6
                                                                                                              • Instruction Fuzzy Hash: 4021F135B001259FDB088F6AD8443BE73AFFBC4205F1444A9E50AC7294EB34EE06C740
                                                                                                              Function 04CE28C4 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (aq
                                                                                                              • API String ID: 0-600464949
                                                                                                              • Opcode ID: 1149cb76a6b7cc9d42a55bb30cd927628f21e8a9b7013e9673adbefa77a9f06d
                                                                                                              • Instruction ID: 84910b988b251e869cc0e7777875ef6016644ac3708bf9226bb20815e90d79f7
                                                                                                              • Opcode Fuzzy Hash: 1149cb76a6b7cc9d42a55bb30cd927628f21e8a9b7013e9673adbefa77a9f06d
                                                                                                              • Instruction Fuzzy Hash: EB2142717083449BE7295A2B945837F3F97EFC2324F04806AE806872E1DF38E941D366
                                                                                                              Function 04CE8A31 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR]q
                                                                                                              • API String ID: 0-3081347316
                                                                                                              • Opcode ID: 52f4f6bd6ecccd08abf12eda11677ad098e3c0d4120a3084331dc92641817583
                                                                                                              • Instruction ID: 229e81f7cb73d842f332e0f175b5d3da36157287e485a1aa62cc4f3bfd6987fe
                                                                                                              • Opcode Fuzzy Hash: 52f4f6bd6ecccd08abf12eda11677ad098e3c0d4120a3084331dc92641817583
                                                                                                              • Instruction Fuzzy Hash: 20215370B01205DBDB18ABA6D8997AE77B3EF84704F248429E802A7340DF746E06DB65
                                                                                                              Function 04CE8A40 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR]q
                                                                                                              • API String ID: 0-3081347316
                                                                                                              • Opcode ID: 556df65b9cd3ae9f72b8b675aee7f890bf473828dc380e226eca35cb7af84a67
                                                                                                              • Instruction ID: f2c80940b1eff46a263f395b447ff705444c610253bc7b56bebac1a5baf2d4ea
                                                                                                              • Opcode Fuzzy Hash: 556df65b9cd3ae9f72b8b675aee7f890bf473828dc380e226eca35cb7af84a67
                                                                                                              • Instruction Fuzzy Hash: EA216274B10209DBDB18DBA6D8597BE7BB7EF88704F148029E802A7380DF746D05DBA5
                                                                                                              Function 04CE29C8 Relevance: .2, Instructions: 228COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b53c540e3956e241c427a2a6d7276e27c87e631ac4069979e6539e55351cd4e7
                                                                                                              • Instruction ID: a13dfdad0468d07ff2b37350084bce6cb199866ad1f63e53876e28e8d07b7dd3
                                                                                                              • Opcode Fuzzy Hash: b53c540e3956e241c427a2a6d7276e27c87e631ac4069979e6539e55351cd4e7
                                                                                                              • Instruction Fuzzy Hash: 2D918D35A00605CFDB14DF69D8946ADB7B6FF88314B108669E849AB324EF34FD85CB80
                                                                                                              Function 04CE6EA0 Relevance: .2, Instructions: 185COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 44d6745c8c1d9a0dc1a559bb76a42a8dead744a92b50b5f13b4a87066a0a9d96
                                                                                                              • Instruction ID: f39999ba361b716abbb611d93e28795027aa41f7fbd7555a51baf06e7cb58668
                                                                                                              • Opcode Fuzzy Hash: 44d6745c8c1d9a0dc1a559bb76a42a8dead744a92b50b5f13b4a87066a0a9d96
                                                                                                              • Instruction Fuzzy Hash: 3871F170A14349CFDB05CFB9D854BDDBBB2FF95304F04815AE044AB2A2EB38A905CB95
                                                                                                              Function 04CE29A3 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 509c4d3ae9f1116da4ab461bbc4f9b1a61877e357c8010f7865241ac5475f5db
                                                                                                              • Instruction ID: 8506650af4b143bf31e76ad8c7f2e81b1fc10c65325cfe9b39ab9b06a3fc3a95
                                                                                                              • Opcode Fuzzy Hash: 509c4d3ae9f1116da4ab461bbc4f9b1a61877e357c8010f7865241ac5475f5db
                                                                                                              • Instruction Fuzzy Hash: 2D51AC757002018FDB15DF39D494A6DBBBAEF8831471481A9E849EB369DF34EC06CB90
                                                                                                              Function 04CE6F18 Relevance: .2, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9096c2d7596e38ad3ad16faaed669fadb6403d59d1921eda5ba0b4cd7a5bcbc7
                                                                                                              • Instruction ID: 260a36dc53b22fe7206acf70b79f8027e0bf69b685369fd85f2d2c0d04bda330
                                                                                                              • Opcode Fuzzy Hash: 9096c2d7596e38ad3ad16faaed669fadb6403d59d1921eda5ba0b4cd7a5bcbc7
                                                                                                              • Instruction Fuzzy Hash: B251B070E14349CFDB01DFB8D854BD9BBB2FF89304F10855AE144AB2A2DB38A945CB95
                                                                                                              Function 04CE6F78 Relevance: .1, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c56ab41b4a2add1844d9de72d9779b8682acf423c6390c6c704e164ba4aff12
                                                                                                              • Instruction ID: d5b482bcdb52fab917019faa33750d44bb5da9a16222d22c557f5709c4198b03
                                                                                                              • Opcode Fuzzy Hash: 7c56ab41b4a2add1844d9de72d9779b8682acf423c6390c6c704e164ba4aff12
                                                                                                              • Instruction Fuzzy Hash: 8F519C34E10309DFDB04DFB9E854B9DBBB6FF89304F108529E504AB291EB75A949CB90
                                                                                                              Function 04CE2268 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6b54009340f22cacf1055dbbb3492d036075852c976eb75531013bcaaeee37f7
                                                                                                              • Instruction ID: 20f7852ca9f71f5da2e0082987a31dc8a71abf971c7fdb3315877a566ce7eb8c
                                                                                                              • Opcode Fuzzy Hash: 6b54009340f22cacf1055dbbb3492d036075852c976eb75531013bcaaeee37f7
                                                                                                              • Instruction Fuzzy Hash: 71413F35B001189FCB54DF6AD8809AEBBB6FF88714B108165E905EB361DB31ED41CB91
                                                                                                              Function 04CE6390 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f8401758f7bcf43484f1947b08071e556e8069dfacde6f8a00e0e271de12baa
                                                                                                              • Instruction ID: 6c56e1f4fabc86ad4bb83a23a4d2193f7ad2cb211c18b0a92cc92f11c743d90b
                                                                                                              • Opcode Fuzzy Hash: 7f8401758f7bcf43484f1947b08071e556e8069dfacde6f8a00e0e271de12baa
                                                                                                              • Instruction Fuzzy Hash: B541C478B11208DFCB04DFA9E59499DBBF6FF98710B148069E905E7325DB34AD41CB90
                                                                                                              Function 04CE63A0 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b49682d6736956c2c18b97f18395f609324b1b17d7a2374708b7c91b97e9c9c8
                                                                                                              • Instruction ID: f55b2c6936e5b6dbd97009738240f86dab2317795ae90ed24d7dc5b7dcf49f79
                                                                                                              • Opcode Fuzzy Hash: b49682d6736956c2c18b97f18395f609324b1b17d7a2374708b7c91b97e9c9c8
                                                                                                              • Instruction Fuzzy Hash: ED31D274A11208DFCB04DFAAD5849ADBBFAFF88310B248069E905E7325DB30EC41CB90
                                                                                                              Function 04CE28E4 Relevance: .1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eff389fe039e03bddd63903e1dd72ed81db90d25715c5eabcc639a99a71d2f06
                                                                                                              • Instruction ID: 8aa8451d913c33fd09456eb3df890efec98f6bb9e7f4cf13f21660186729ba5f
                                                                                                              • Opcode Fuzzy Hash: eff389fe039e03bddd63903e1dd72ed81db90d25715c5eabcc639a99a71d2f06
                                                                                                              • Instruction Fuzzy Hash: 96216E32605368AFEB16276668147BA3F1BDF42334F1440A7F949C70A1DF34D955E361
                                                                                                              Function 04CE1062 Relevance: .1, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 392b529928c3306e4797f9cff53dcd531aba7e412810b382b1a384601f0238df
                                                                                                              • Instruction ID: 409f5e159bc8c4596c10cb68fbac258f4323e1cdb84d0561cbf4f5487d5b40cd
                                                                                                              • Opcode Fuzzy Hash: 392b529928c3306e4797f9cff53dcd531aba7e412810b382b1a384601f0238df
                                                                                                              • Instruction Fuzzy Hash: 24214676B002509BEF008E7688406BE7BEBEFC9210F08407BD806C7251EF78AE169791
                                                                                                              Function 04CE28D4 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 713038a022a417d46e20c052abec2e44da8489d5948f8550af4b96c674bbd8bc
                                                                                                              • Instruction ID: a979c5e9956ab812c883824b9403f63053e71b38cb4a98443ccb5cf427900bb8
                                                                                                              • Opcode Fuzzy Hash: 713038a022a417d46e20c052abec2e44da8489d5948f8550af4b96c674bbd8bc
                                                                                                              • Instruction Fuzzy Hash: 4C110D31B046641BFB181A7598103BA2B9FDBC2714F0004EAD547C72D2DF54ED035396
                                                                                                              Function 04CE2CC3 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a1ac5d11f3301f0c7cd72df4a66e0c63d0db19ca0522a58bc59ff78c0bd529b
                                                                                                              • Instruction ID: 524619172390eb4f61e475694fe32207282ea35ba600af0351dd6008a638ae0f
                                                                                                              • Opcode Fuzzy Hash: 6a1ac5d11f3301f0c7cd72df4a66e0c63d0db19ca0522a58bc59ff78c0bd529b
                                                                                                              • Instruction Fuzzy Hash: 62113136B101058BDF288B6AD8003FDB7FBEB88328F0486B9C105E72A4DB35D906CB54
                                                                                                              Function 04CE306F Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 810b3a21b6adb1ba8c82e8fe4b4a350c30ea666a4a44a47706fc00e6dcca82c4
                                                                                                              • Instruction ID: 936004b92eb5decd198d2a82d36ac4f487d48ea92156bbbd3f7ff83cf2d80403
                                                                                                              • Opcode Fuzzy Hash: 810b3a21b6adb1ba8c82e8fe4b4a350c30ea666a4a44a47706fc00e6dcca82c4
                                                                                                              • Instruction Fuzzy Hash: 1C21D178A04245AFDB04DFA5C850AAEBBB3FFCD305F148429D409A33A0CF76A941DB90
                                                                                                              Function 04CE2258 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63ebc13a97a0bb3bfff43b0d2ba5489d81ad01a32bc652546b6bd14df3b17c84
                                                                                                              • Instruction ID: 4c4014d04db44bca595763c9661400524d0031abe3ca74ef2152bb91fe0eee8b
                                                                                                              • Opcode Fuzzy Hash: 63ebc13a97a0bb3bfff43b0d2ba5489d81ad01a32bc652546b6bd14df3b17c84
                                                                                                              • Instruction Fuzzy Hash: 9821FC75A102189FDB44DF69D4849EDBBB2FF4C714F10816AE905EB360EB319942CF91
                                                                                                              Function 04CE0F20 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 973d2563311d55c1209cde014cd62d63aabef4266ec974b694a4aef7194b41f7
                                                                                                              • Instruction ID: d56fed87de47d3a972280bb5ff3e2ca0daf5d8322a0876e0bb64112c6220d4e4
                                                                                                              • Opcode Fuzzy Hash: 973d2563311d55c1209cde014cd62d63aabef4266ec974b694a4aef7194b41f7
                                                                                                              • Instruction Fuzzy Hash: 9501897AB093A41BDB15177B186423F6F579FC6220F094466D909C7351EF38EC11C2E1
                                                                                                              Function 04CE9460 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5e17968427e085806ead7dd61ba2a799298f9a1a0b6031c6183c9cce06cdc68f
                                                                                                              • Instruction ID: f7f5470bef3883415b33d9aed6b43153f7f9260122856c5ce48ecd48a4e3b935
                                                                                                              • Opcode Fuzzy Hash: 5e17968427e085806ead7dd61ba2a799298f9a1a0b6031c6183c9cce06cdc68f
                                                                                                              • Instruction Fuzzy Hash: D7216D38A00205AFDB04DFA6D454AADBBB7EFC9314F14442AD409973A0CF796D81DB90
                                                                                                              Function 04CE3080 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0aef767277a32dcad80717e1bccbd9b52dcc6b268bef68ca45f4813e1d3cceea
                                                                                                              • Instruction ID: 244f0060247347b5f40580d5401f1d2d89ac6801c39b0e89ca689263d41be355
                                                                                                              • Opcode Fuzzy Hash: 0aef767277a32dcad80717e1bccbd9b52dcc6b268bef68ca45f4813e1d3cceea
                                                                                                              • Instruction Fuzzy Hash: 08114238A00105AFDB04DFA6C850AAEBBB7EFCD314F148029D405A73A0DF76AD45DB90
                                                                                                              Function 04CE9470 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25c9b1ff364f0a675f69fd5977f1472ed01b50ff9023287407221a6bb51d433e
                                                                                                              • Instruction ID: 850eab2dbf7a7a65871c843973eeab48a1eb6c6a85b4e48d6a3a330dc1810c73
                                                                                                              • Opcode Fuzzy Hash: 25c9b1ff364f0a675f69fd5977f1472ed01b50ff9023287407221a6bb51d433e
                                                                                                              • Instruction Fuzzy Hash: 63113D38A00104AFDB04EBA6D450AA9BBB7EFCD314F14402AD409A7390CF796D859B90
                                                                                                              Function 04CE1378 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78c2408aa09709c5396b81f5dc57f4ddcdf938e6cc2c32db625f01658321aa5d
                                                                                                              • Instruction ID: cda5da8d61ea9cb2b0d3dde9f1e01c5f500079eba1fb31a94b01478fc285ff49
                                                                                                              • Opcode Fuzzy Hash: 78c2408aa09709c5396b81f5dc57f4ddcdf938e6cc2c32db625f01658321aa5d
                                                                                                              • Instruction Fuzzy Hash: 122138B4D002098FDB10DFAAC8856EEFBF4FF48324F108029D519A7200CB79A546CFA1
                                                                                                              Function 04CE7798 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: adaa3f1fec8d26eaf36e79765adfe1ed9cdccfa25f4af18863b3a408454f634d
                                                                                                              • Instruction ID: a15a4fe14bfee4ce4a91a3af65d05c32a24cc27c63126c3380e0e92f0fde0d29
                                                                                                              • Opcode Fuzzy Hash: adaa3f1fec8d26eaf36e79765adfe1ed9cdccfa25f4af18863b3a408454f634d
                                                                                                              • Instruction Fuzzy Hash: 7201C4B2F011158BDB20DA6E98002ABBBE6EF8D711F058436D519E7240EB349E01C7A1
                                                                                                              Function 04CE2CD0 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0870357cf092688e3c78fa42792b199e437b02742aed9f427736b184b34e4b60
                                                                                                              • Instruction ID: bc97d71e2ef6934c7334c3e6bab28eb44d4fb6766f001d90de59b0cddd002539
                                                                                                              • Opcode Fuzzy Hash: 0870357cf092688e3c78fa42792b199e437b02742aed9f427736b184b34e4b60
                                                                                                              • Instruction Fuzzy Hash: 6A016536B001188BDF148AAAD8103EEB7FBEB88315F044179D505B7254DB39AA45C7A5
                                                                                                              Function 04CE1958 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c96554168798e9d6573d9d32124685f8b687f929c886052d045f40879add8fad
                                                                                                              • Instruction ID: d726dc5e185dd4511a143f3a9ad655cc399533f4ba99c8bec3b581ba0dd1a248
                                                                                                              • Opcode Fuzzy Hash: c96554168798e9d6573d9d32124685f8b687f929c886052d045f40879add8fad
                                                                                                              • Instruction Fuzzy Hash: A6114C39610115AFDB08DFA4D869AA9BBB6FFCD311F14402AE40AD33A0CF396D46DB54
                                                                                                              Function 04CE8058 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 142cc4c8cb0a4f5c73aaed2ab7c81aaef1288092317e229c548b541c456ab43d
                                                                                                              • Instruction ID: 211dca0b909f6f3ad5e804ca65529e3983ba777b756d239315cf4f57bc3dabd7
                                                                                                              • Opcode Fuzzy Hash: 142cc4c8cb0a4f5c73aaed2ab7c81aaef1288092317e229c548b541c456ab43d
                                                                                                              • Instruction Fuzzy Hash: 04014F3A314114DF9708EA6EF49496EB7AAFBC8675314803AF649C7310DF72EC1287A4
                                                                                                              Function 04CE1380 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 288235acdce7b00f7955d98673a8eb0671d4c98200ff55ab5b00452b896ac9c0
                                                                                                              • Instruction ID: 8bd45f39817c43a8922a89d61a4f7064b2928ae1785fb4273f02d6a1a5954648
                                                                                                              • Opcode Fuzzy Hash: 288235acdce7b00f7955d98673a8eb0671d4c98200ff55ab5b00452b896ac9c0
                                                                                                              • Instruction Fuzzy Hash: 981117B5D002098FDB10DFAAC885AEEFBF4FF48314F148419D55967240CB79A945CFA1
                                                                                                              Function 04CE1968 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 24de4388d086f3cd806a19f4e01bad6c72d1fc8a82f41addde5074284da3cbf0
                                                                                                              • Instruction ID: 8d35d6956c88286c01a216f93512fcce7fcc62d917a2a6414881fbb88c8e0d66
                                                                                                              • Opcode Fuzzy Hash: 24de4388d086f3cd806a19f4e01bad6c72d1fc8a82f41addde5074284da3cbf0
                                                                                                              • Instruction Fuzzy Hash: FF110D39600115AFDB04DFA5D458AA9BBB6FFCD311F14442AE40AA73A0CF795D45CB90
                                                                                                              Function 04CE7658 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 14b01e809f66b98e0bc48f00d97ca9fd7ae780109c16204672c74ab517ab3096
                                                                                                              • Instruction ID: b280c9acaed3891afa3d843c8553f242011e2880cfec496c35faf76767559e2f
                                                                                                              • Opcode Fuzzy Hash: 14b01e809f66b98e0bc48f00d97ca9fd7ae780109c16204672c74ab517ab3096
                                                                                                              • Instruction Fuzzy Hash: 8001D670B082459FC744D7ACC8105AEBFB29FC6300B1580FAC588D7391CE319E12C791
                                                                                                              Function 04CE7FB3 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f33238d144c13159483aa42a345ab420fe4ba47b475367863bdfbb903aded76f
                                                                                                              • Instruction ID: 31498068eb3c3010eadba248c383b57d41a8ed9a08e6132de45e3432f4f5ac9e
                                                                                                              • Opcode Fuzzy Hash: f33238d144c13159483aa42a345ab420fe4ba47b475367863bdfbb903aded76f
                                                                                                              • Instruction Fuzzy Hash: 8E01F7713083008FD7129B1EE8954597FA6FF8531830580ABD485CB266CF24ED0687A1
                                                                                                              Function 04CE1440 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9d6538546cfd554d52d1e79b47fbea10ba1df6e666c26cc475d4fb4f6867f368
                                                                                                              • Instruction ID: 9efe2064228ca897c2d962010da7f8f925dc8f3f24fc71e4583c5170092dbfdd
                                                                                                              • Opcode Fuzzy Hash: 9d6538546cfd554d52d1e79b47fbea10ba1df6e666c26cc475d4fb4f6867f368
                                                                                                              • Instruction Fuzzy Hash: 55012478A152051FC7099F7869652363FEAEFC22143050DABC54ACB3A1FE289906C391
                                                                                                              Function 04CE6B0C Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d64d200adce6bf80a882da5b959a85206848a27c0d6cab9f4c22c76ebcac990
                                                                                                              • Instruction ID: 60e9b57542df59b2ad01edf2013ddb8e1184a027bfbb138d987f27782b5ba64d
                                                                                                              • Opcode Fuzzy Hash: 4d64d200adce6bf80a882da5b959a85206848a27c0d6cab9f4c22c76ebcac990
                                                                                                              • Instruction Fuzzy Hash: 8EF07832F042205BFB1516A75C147BD6753DBE1318F88806AC1199B3E0DB76F442A380
                                                                                                              Function 04A4D005 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2101632906.0000000004A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A4D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_4a4d000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c701b177d876fe451577acfb84817497bcb0768aa01049825ecbfedcbd4a4f00
                                                                                                              • Instruction ID: 6e95d7bc5dee1181e3f75f8ce165348c5f00c568f0838d9d18e53bc67c643fc6
                                                                                                              • Opcode Fuzzy Hash: c701b177d876fe451577acfb84817497bcb0768aa01049825ecbfedcbd4a4f00
                                                                                                              • Instruction Fuzzy Hash: B4015E7100D3809FE7128B259D84756BFA8EFC3224F18859BE9898F297C2696C45C772
                                                                                                              Function 04A4D01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2101632906.0000000004A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A4D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_4a4d000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d0e59a50e3574437bdd25ddc596184b0692a59e0a032d46036acb24cb506d7ba
                                                                                                              • Instruction ID: d7d09a5205e9724f9892a02eae8203840758407a01531e0878806dac442baa00
                                                                                                              • Opcode Fuzzy Hash: d0e59a50e3574437bdd25ddc596184b0692a59e0a032d46036acb24cb506d7ba
                                                                                                              • Instruction Fuzzy Hash: C001DB715043449EF7208F25DD84B6BBF98EFC5324F18C52AED4A1B246D279A841D6B1
                                                                                                              Function 04CE6A1F Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 02c8652b09fe37ca23f35918cb02871c59ee887a056047d785b65f325c8155b6
                                                                                                              • Instruction ID: cd95aee67c39c3799bd31cf450c07dc6bdf10fa810f3e325032fd5cf3d45b6f3
                                                                                                              • Opcode Fuzzy Hash: 02c8652b09fe37ca23f35918cb02871c59ee887a056047d785b65f325c8155b6
                                                                                                              • Instruction Fuzzy Hash: AB019E31B002048BEB18AF6AC1153AEB6E3AFC8304F24847DC406AB394CF749D16DB81
                                                                                                              Function 04CE6A30 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4e4202d653122d9f3f7e35e9061fdf8a4fe1d2e622fcf9620c36354f1eb20a6f
                                                                                                              • Instruction ID: ee2d2626a8674e66f7e351003dd4c2dff15ea2d930f0f95f05cf49d24ec02292
                                                                                                              • Opcode Fuzzy Hash: 4e4202d653122d9f3f7e35e9061fdf8a4fe1d2e622fcf9620c36354f1eb20a6f
                                                                                                              • Instruction Fuzzy Hash: 37018F31B002148BEB18AA6BC4157AF7AE7AFC8614F64843DD406A7390CF756D059BD1
                                                                                                              Function 04CE1829 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e00cd82a0a37622cf35cbd922005e68020e4528382c0b7cec4a906854b27cecc
                                                                                                              • Instruction ID: 9c4c0a0d2dd4da0dff08029e3188d3fcdbbd257677f900baaffeefc160eeb2f4
                                                                                                              • Opcode Fuzzy Hash: e00cd82a0a37622cf35cbd922005e68020e4528382c0b7cec4a906854b27cecc
                                                                                                              • Instruction Fuzzy Hash: 7B016D35B042158BF718AAAA91663FE77A39B88714F19403DC106B7390CFB92D07EBD1
                                                                                                              Function 04CE0F30 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b64b8e40568c3340a762262d88fa013bcaa7eeef32bdc633c4d935217f3024e4
                                                                                                              • Instruction ID: 23829b423a68ccd4ba5fa600ad2df1ab1d404a4981e845c7f6c14d0270dfa07c
                                                                                                              • Opcode Fuzzy Hash: b64b8e40568c3340a762262d88fa013bcaa7eeef32bdc633c4d935217f3024e4
                                                                                                              • Instruction Fuzzy Hash: 1AF0B45074D2EA1FD70A223A082007D2F769F83614F2A4AE6C514DB2D2CD08AC0A93E6
                                                                                                              Function 04CE2EFB Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 91f3aac8a2456a11ee25eac91ab98ad3ea31f8f6c85c040cca6722f3bef13efa
                                                                                                              • Instruction ID: 0f4e18d102f98c3569c6d90e5f7769ba9ea38a9dcf7cd747fcbf1dbd140de075
                                                                                                              • Opcode Fuzzy Hash: 91f3aac8a2456a11ee25eac91ab98ad3ea31f8f6c85c040cca6722f3bef13efa
                                                                                                              • Instruction Fuzzy Hash: 88F0E9317106640BFF24153BBD003BA1F8F8B42358F0004E6E446CB6D7DB94A9876396
                                                                                                              Function 04CE9360 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 24dac4ae6cc3edd5fb75fd6156de7245319eb2086ab412dfec9f5dd74839ff55
                                                                                                              • Instruction ID: 9ae414f8b79ff326a202c2714a60accb61313c6563f8a956df5ad37cd893e3e5
                                                                                                              • Opcode Fuzzy Hash: 24dac4ae6cc3edd5fb75fd6156de7245319eb2086ab412dfec9f5dd74839ff55
                                                                                                              • Instruction Fuzzy Hash: A7F09EB6B087008BD7288A1BD0C437DB797AFC0224B08817ED905C72E2EF749D01D384
                                                                                                              Function 04CE1431 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54b505e11bcf206ea5160fae02e52f21b3b7969dff4bd84f8ce87a091642f000
                                                                                                              • Instruction ID: 23bec4dcfae51c45955dc7776b5c838830d3028c8c4d5dc1fcabd32c101b7abf
                                                                                                              • Opcode Fuzzy Hash: 54b505e11bcf206ea5160fae02e52f21b3b7969dff4bd84f8ce87a091642f000
                                                                                                              • Instruction Fuzzy Hash: 62F09678E151065FDB1C8FB8986A2293BD7FBD2628705096BC14ADB3E1FE2C9901C791
                                                                                                              Function 04CE7FE0 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c2558d7f6b14a425ba4f52b1638086256e36efa5333e02cc1aaa041bb526b8b
                                                                                                              • Instruction ID: 553a0898c908371eae6b20a0c21d7e0e1ecb16bd2dc3aa3c1c69f4df0d955bad
                                                                                                              • Opcode Fuzzy Hash: 1c2558d7f6b14a425ba4f52b1638086256e36efa5333e02cc1aaa041bb526b8b
                                                                                                              • Instruction Fuzzy Hash: 1DF082713002108BA725AA5FE8948AFBBDEEFC8664304817AE54AC7310DF61FD0587E1
                                                                                                              Function 04CE1BB1 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f98a1ef55c9ff0f7757b6723303313ee3d820d1e8c9bb6c543d6f26939839b8
                                                                                                              • Instruction ID: 715cabf55a162dda18eeff88abe6090a698de63ab3467603cbbb0cee84befac8
                                                                                                              • Opcode Fuzzy Hash: 1f98a1ef55c9ff0f7757b6723303313ee3d820d1e8c9bb6c543d6f26939839b8
                                                                                                              • Instruction Fuzzy Hash: 34F0277AF083505FD7255A6791943396F5B6B902A4F0A406ACE48CB311EF749D1292C0
                                                                                                              Function 04CE5278 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 95e6efcc9ae675931cfa1635f9cbbaee9ec0d4de593db09180f55493f4295a1a
                                                                                                              • Instruction ID: b6a4794a0a20fca7594dd65e13fbecf31d36019f0651b23d79f149b9b23110ea
                                                                                                              • Opcode Fuzzy Hash: 95e6efcc9ae675931cfa1635f9cbbaee9ec0d4de593db09180f55493f4295a1a
                                                                                                              • Instruction Fuzzy Hash: FFF0EC3270D3445FD3055A26D8106CABB65EFD922CF1444BED688D7352CD765C05C761
                                                                                                              Function 04CE773B Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 253b2a03506e2bd023bb9a777305b84e9cf9dfb7ff70e3c3acaa9389f1c3d545
                                                                                                              • Instruction ID: b629f5752a0fb1c1fca6a145b14a12130e71df3f95ed6e7cc10e9e134a2ce5cb
                                                                                                              • Opcode Fuzzy Hash: 253b2a03506e2bd023bb9a777305b84e9cf9dfb7ff70e3c3acaa9389f1c3d545
                                                                                                              • Instruction Fuzzy Hash: 82E06D7220C3808FD769DE38A850696BBD2DFA4201B04883EE4C5C3384EA31A841C769
                                                                                                              Function 04CE0F50 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a32d416f7bb4a59a7e70145d42d0f81de5bdc8c1f4fd15870979e72ebe530687
                                                                                                              • Instruction ID: 4792261d60d06d3b437a75f7bdb2e04df27080939fda42632ccf234f168d4785
                                                                                                              • Opcode Fuzzy Hash: a32d416f7bb4a59a7e70145d42d0f81de5bdc8c1f4fd15870979e72ebe530687
                                                                                                              • Instruction Fuzzy Hash: B1E0AB7061A3429FD7010B3655756293F599F02200B5408D9D40ECA073CF28D400C741
                                                                                                              Function 04CE5288 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78ab0cbd0600ac44be43f1842aa4365e3928660c71e9d76c2bc75b11ec1b2a95
                                                                                                              • Instruction ID: f2184538618d09803aefc874dbb9c031183c2dec66ee944c47a74eeb5921b499
                                                                                                              • Opcode Fuzzy Hash: 78ab0cbd0600ac44be43f1842aa4365e3928660c71e9d76c2bc75b11ec1b2a95
                                                                                                              • Instruction Fuzzy Hash: B6E026327042045BD304A92BE840957F79AEBC8228B10407DE54CC3315CD32AC028690
                                                                                                              Function 04CE7F67 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16791f3f4093d7122c24f51ba7cf0ad395a78b967493ee42c7c6e80a87881e33
                                                                                                              • Instruction ID: 08a4a573f7bedb4834386fd633d401aed4eef1f051b2778134a824194951bc6f
                                                                                                              • Opcode Fuzzy Hash: 16791f3f4093d7122c24f51ba7cf0ad395a78b967493ee42c7c6e80a87881e33
                                                                                                              • Instruction Fuzzy Hash: B9E0DF3050810ACFC701DB09D5589283BF1FF4131CB1046C4C8894B172CF399E06DB81
                                                                                                              Function 04CE2958 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2e7c96ccd56ffd6485414e9062679923f7d4bf8c95dfcca99647ae18e286b750
                                                                                                              • Instruction ID: a0d6233dbdfaa7eb7c67d039b57c8deeae18bd3e8a989c5163f48b07ac2da512
                                                                                                              • Opcode Fuzzy Hash: 2e7c96ccd56ffd6485414e9062679923f7d4bf8c95dfcca99647ae18e286b750
                                                                                                              • Instruction Fuzzy Hash: 6BE04FB1D09248EFEB11DFA4E95159CBFB5EF41314B1041EADC08D7252EA349F05C782
                                                                                                              Function 04CE2F80 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4206f2c118583e5d0ed6703fa0b9f660806fbe577153f549bb5627b3bcb968b6
                                                                                                              • Instruction ID: 4b1940069262676f378ab9295ed694a10c69b04ceaf4b0ffbfc2c3f904f85493
                                                                                                              • Opcode Fuzzy Hash: 4206f2c118583e5d0ed6703fa0b9f660806fbe577153f549bb5627b3bcb968b6
                                                                                                              • Instruction Fuzzy Hash: D7D0977BF002308BEF010BA2A0053BA370FEB42230F0104C2E92AC7092EB208C0302CC
                                                                                                              Function 04CE0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4c81f8d9b3429b59eb7f1dd9a7209ece39fc85b3258a3f453d528fac93bf25f
                                                                                                              • Instruction ID: c865d7728d15b8fdb32068ffca3f032fad1e69f46c564e118e10b8edb6de8d6a
                                                                                                              • Opcode Fuzzy Hash: a4c81f8d9b3429b59eb7f1dd9a7209ece39fc85b3258a3f453d528fac93bf25f
                                                                                                              • Instruction Fuzzy Hash: 9DD0A73271402C6F92046A1BD84587A7BABEB852607154433F90183320DE70BC15A3D6
                                                                                                              Function 04CE17F0 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4ac307aa44ca2c756269a562c3971a8bee46ac457c8d8ea8089624177970b42f
                                                                                                              • Instruction ID: 9ebd9dfe8dd311d65bde159e77433392ad7f57b5df6153edfea4334e987655d9
                                                                                                              • Opcode Fuzzy Hash: 4ac307aa44ca2c756269a562c3971a8bee46ac457c8d8ea8089624177970b42f
                                                                                                              • Instruction Fuzzy Hash: E1D02B7721C5954FC7060F21F4100A93F32A7161207060153F191C72F2CF320511EB50
                                                                                                              Function 04CE1D10 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8814a44da8cea0b0be7dca68f73c05d43ff488e13075165f1668817363b22a82
                                                                                                              • Instruction ID: 16076c04da2005d737363490e2df95fca8ffd85eb3a99df258460b9aecd26950
                                                                                                              • Opcode Fuzzy Hash: 8814a44da8cea0b0be7dca68f73c05d43ff488e13075165f1668817363b22a82
                                                                                                              • Instruction Fuzzy Hash: 20D0A93028030CAAF70122A3A819336329AA780B0CF680024EA0C091D0CFB8A9A0C290
                                                                                                              Function 04CE2968 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5198510c061c2442e7adc05b6e2e75ee9502bbecf4c36f2730975a677d42ee61
                                                                                                              • Instruction ID: 5f8b2f7e56e89b6fa1eb4a88a963868bbf7cc14cbe66a967b5ecaf3600053c93
                                                                                                              • Opcode Fuzzy Hash: 5198510c061c2442e7adc05b6e2e75ee9502bbecf4c36f2730975a677d42ee61
                                                                                                              • Instruction Fuzzy Hash: 38D01270A0110CEF9B04DFA4EA0155DBBB9EF84304B1045A9D808D3311DE31AF049780
                                                                                                              Function 04CE76C0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03e698497f476886e6dba3c77de1ea97f6771cb8b3ab0b3997a03edc4cb2133e
                                                                                                              • Instruction ID: ad360bbaeadb1066408abc0d9b8b0022c0341325a0c97f8f903539261ece2c1e
                                                                                                              • Opcode Fuzzy Hash: 03e698497f476886e6dba3c77de1ea97f6771cb8b3ab0b3997a03edc4cb2133e
                                                                                                              • Instruction Fuzzy Hash: ACD017313083508FC355960DD8104A5FBA1AFCA32431A88AED4C8C7262CA219D22C780
                                                                                                              Function 04CE7F78 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aa5bf333648f87df04fb0dfb943c203387a69ca478f01385f6055d3cf62c9dd9
                                                                                                              • Instruction ID: 971e68530a103d0f030dcc14bc72008221b3944d1bdc2e53b932989b8d649d8a
                                                                                                              • Opcode Fuzzy Hash: aa5bf333648f87df04fb0dfb943c203387a69ca478f01385f6055d3cf62c9dd9
                                                                                                              • Instruction Fuzzy Hash: 2FD01770A0120CEF9B05DFA8EA0199DBBB9EB84208B1041A89809E3310EF31AF009B85
                                                                                                              Function 04CE1C29 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c473041e37eabb01c833ff00eda4d4f833909f5a3622bf9ab5a90a96a95baad
                                                                                                              • Instruction ID: 5cfc408613e5c386856951c62d38d4c02c8146ebbb72e6e692cf4c1cb3d02c2b
                                                                                                              • Opcode Fuzzy Hash: 9c473041e37eabb01c833ff00eda4d4f833909f5a3622bf9ab5a90a96a95baad
                                                                                                              • Instruction Fuzzy Hash: A8C0C09FA0B2B01BFA0102737A0207A57038B82F20F020AC2C07CC70C0DB286C2292B2
                                                                                                              Function 04CE0440 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 177f8586997ec5ee3877b1a6c03ea8e4e555bb912131ed7ece8dabef4df77983
                                                                                                              • Instruction ID: accfcd5c60b034f49ad172e6062f165e3eb383ce4887503d540d88e5ece5da08
                                                                                                              • Opcode Fuzzy Hash: 177f8586997ec5ee3877b1a6c03ea8e4e555bb912131ed7ece8dabef4df77983
                                                                                                              • Instruction Fuzzy Hash: 89C08CFB9E8A016FF3055A84080B1D13B30FA71304B468275D04281053D31D621382B9
                                                                                                              Function 04CE1D28 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 27bbc3f54a2c8c79b10cfe9c9ed70da15717118af3557260809cfec4d9e5137a
                                                                                                              • Instruction ID: 41b66e58de0680df8e0f82413b301b893e7a9c19a0f00a38bd742db6273f6572
                                                                                                              • Opcode Fuzzy Hash: 27bbc3f54a2c8c79b10cfe9c9ed70da15717118af3557260809cfec4d9e5137a
                                                                                                              • Instruction Fuzzy Hash: 77C09235780308BBFB1426A0E825B7D3226FBD1B09F584021F60DBA2D4CEB99C909250
                                                                                                              Function 04CE0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000003.2100899329.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_3_4ce0000_rundll32.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 786b58583144494402c947497a24ecdc9a060fa39b3d2b88e885cd111a54709d
                                                                                                              • Instruction ID: a67c4f9720587068294f5bc8857e8f08ec41ffee209c15f59f3c3b897c178a4e
                                                                                                              • Opcode Fuzzy Hash: 786b58583144494402c947497a24ecdc9a060fa39b3d2b88e885cd111a54709d
                                                                                                              • Instruction Fuzzy Hash: FAB012D5E44000127108A63748E487A40C79EC1204BCCCC101001A00285E38F0157045

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:13.8%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:4.3%
                                                                                                              Total number of Nodes:483
                                                                                                              Total number of Limit Nodes:39
                                                                                                              execution_graph 51832 4a43721 51833 4a43740 51832->51833 51839 55d142c 51832->51839 51842 55d0d40 51832->51842 51846 4a437f8 51832->51846 51858 55d0d31 51832->51858 51862 4a4389d 51832->51862 51840 55d0e51 51839->51840 51874 55d2568 51840->51874 51843 55d0d8c 51842->51843 51844 55d0d4e 51842->51844 51843->51833 51844->51843 51845 55d2568 CryptUnprotectData 51844->51845 51845->51844 51847 4a43802 51846->51847 51848 4a4386d 51846->51848 51847->51848 51923 50f05b6 51847->51923 51927 50f0639 51847->51927 51931 4a45db0 51847->51931 51937 50f08bc 51847->51937 51941 4a44e15 51847->51941 51946 4a44bb4 51847->51946 51951 50f03e0 51847->51951 51955 4a45dc0 51847->51955 51961 50f03d0 51847->51961 51848->51833 51859 55d0d8c 51858->51859 51860 55d0d4e 51858->51860 51859->51833 51860->51859 51861 55d2568 CryptUnprotectData 51860->51861 51861->51860 51863 4a4380d 51862->51863 51864 4a4386d 51863->51864 51865 4a45dc0 5 API calls 51863->51865 51866 50f03e0 2 API calls 51863->51866 51867 4a44bb4 CryptUnprotectData 51863->51867 51868 4a44e15 CryptUnprotectData 51863->51868 51869 50f08bc 2 API calls 51863->51869 51870 4a45db0 5 API calls 51863->51870 51871 50f0639 2 API calls 51863->51871 51872 50f05b6 2 API calls 51863->51872 51873 50f03d0 2 API calls 51863->51873 51864->51833 51865->51864 51866->51864 51867->51864 51868->51864 51869->51864 51870->51864 51871->51864 51872->51864 51873->51864 51875 55d25c0 51874->51875 51876 55d260a 51875->51876 51877 55d2b3a 51875->51877 51879 55d2696 51876->51879 51880 55d2568 CryptUnprotectData 51876->51880 51884 55d2b78 51876->51884 51888 4a47a1f 51877->51888 51894 4a47a28 51877->51894 51878 55d2b9c 51878->51840 51879->51840 51880->51879 51886 4a47a1f CryptUnprotectData 51884->51886 51887 4a47a28 CryptUnprotectData 51884->51887 51885 55d2b9c 51885->51879 51886->51885 51887->51885 51890 4a47a28 51888->51890 51889 4a47a47 51889->51878 51890->51889 51900 55d2ba1 51890->51900 51908 55d2bb0 51890->51908 51891 4a47acf 51891->51878 51895 4a47a47 51894->51895 51896 4a47a53 51894->51896 51895->51878 51898 55d2ba1 CryptUnprotectData 51896->51898 51899 55d2bb0 CryptUnprotectData 51896->51899 51897 4a47acf 51897->51878 51898->51897 51899->51897 51902 55d2baa 51900->51902 51901 55d2c89 51920 55d06c4 51901->51920 51902->51901 51905 55d2ba1 CryptUnprotectData 51902->51905 51907 55d2bb0 CryptUnprotectData 51902->51907 51916 55d2d90 51902->51916 51905->51901 51907->51901 51909 55d2c89 51908->51909 51910 55d2bd5 51908->51910 51911 55d06c4 CryptUnprotectData 51909->51911 51910->51909 51913 55d2ba1 CryptUnprotectData 51910->51913 51914 55d2d90 CryptUnprotectData 51910->51914 51915 55d2bb0 CryptUnprotectData 51910->51915 51912 55d2e54 51911->51912 51912->51891 51913->51909 51914->51909 51915->51909 51917 55d2da5 51916->51917 51918 55d06c4 CryptUnprotectData 51917->51918 51919 55d2e54 51918->51919 51919->51901 51921 55d2e70 CryptUnprotectData 51920->51921 51922 55d2e54 51921->51922 51922->51891 51924 50f0450 51923->51924 51924->51923 51925 50f098c 51924->51925 51965 3906730 51924->51965 51929 50f0450 51927->51929 51928 50f098c 51928->51928 51929->51928 51930 3906730 2 API calls 51929->51930 51930->51929 51932 4a45dd3 51931->51932 51933 4a45e1b 51932->51933 52014 4a46203 51932->52014 52019 4a46210 51932->52019 52023 4a46000 51932->52023 51933->51848 51939 50f0450 51937->51939 51938 50f098c 51938->51938 51939->51938 51940 3906730 2 API calls 51939->51940 51940->51939 51943 4a44bb4 51941->51943 51942 4a44f60 51943->51941 51943->51942 52162 55d0ad8 51943->52162 52166 55d0ac8 51943->52166 51947 4a44bcd 51946->51947 51947->51946 51948 4a44f60 51947->51948 51949 55d0ad8 CryptUnprotectData 51947->51949 51950 55d0ac8 CryptUnprotectData 51947->51950 51949->51947 51950->51947 51953 50f0412 51951->51953 51952 50f098c 51952->51952 51953->51952 51954 3906730 2 API calls 51953->51954 51954->51953 51957 4a45dd3 51955->51957 51956 4a45e1b 51956->51848 51957->51956 51958 4a46000 5 API calls 51957->51958 51959 4a46210 5 API calls 51957->51959 51960 4a46203 5 API calls 51957->51960 51958->51957 51959->51957 51960->51957 51963 50f03e0 51961->51963 51962 50f098c 51962->51962 51963->51962 51964 3906730 2 API calls 51963->51964 51964->51963 51966 3906770 51965->51966 51969 3900510 51966->51969 51968 390678b 51968->51924 51970 3900536 51969->51970 51973 50f0c60 51969->51973 51977 50f0c70 51969->51977 51970->51968 51974 50f0c70 51973->51974 51981 50f0d20 51974->51981 51975 50f0ca5 51975->51970 51978 50f0c82 51977->51978 51980 50f0d20 2 API calls 51978->51980 51979 50f0ca5 51979->51970 51980->51979 51982 50f0d48 51981->51982 51987 50f1558 51982->51987 51994 50f15c0 51982->51994 52000 50f1590 51982->52000 51983 50f0d88 51983->51975 51988 50f156b 51987->51988 51989 50f158f 51987->51989 51988->51983 51990 50f16d2 51989->51990 52006 50f19c8 51989->52006 52010 50f19c0 51989->52010 51990->51983 51991 50f16c8 51991->51983 51995 50f15e7 51994->51995 51997 50f16d2 51995->51997 51998 50f19c8 CreateNamedPipeW 51995->51998 51999 50f19c0 CreateNamedPipeW 51995->51999 51996 50f16c8 51996->51983 51997->51983 51998->51996 51999->51996 52001 50f15c0 52000->52001 52002 50f16d2 52001->52002 52004 50f19c8 CreateNamedPipeW 52001->52004 52005 50f19c0 CreateNamedPipeW 52001->52005 52002->51983 52003 50f16c8 52003->51983 52004->52003 52005->52003 52007 50f1a0c CreateNamedPipeW 52006->52007 52009 50f1a79 52007->52009 52009->51991 52011 50f19c8 CreateNamedPipeW 52010->52011 52013 50f1a79 52011->52013 52013->51991 52015 4a4619b 52014->52015 52015->52014 52016 4a4621b 52015->52016 52028 4a47e10 52015->52028 52036 4a47e01 52015->52036 52016->51932 52020 4a4621b 52019->52020 52021 4a47e10 5 API calls 52019->52021 52022 4a47e01 5 API calls 52019->52022 52020->51932 52021->52020 52022->52020 52024 4a4603c 52023->52024 52025 4a4621b 52024->52025 52026 4a47e10 5 API calls 52024->52026 52027 4a47e01 5 API calls 52024->52027 52025->51932 52026->52025 52027->52025 52029 4a47e4d 52028->52029 52030 4a485fe 52029->52030 52031 4a47e51 52029->52031 52044 4a4baf2 52029->52044 52051 4a4b88e 52029->52051 52030->52031 52032 4a4baf2 5 API calls 52030->52032 52033 4a4b88e 5 API calls 52030->52033 52031->52016 52032->52031 52033->52031 52037 4a47e4d 52036->52037 52038 4a485fe 52037->52038 52039 4a47e51 52037->52039 52042 4a4baf2 5 API calls 52037->52042 52043 4a4b88e 5 API calls 52037->52043 52038->52039 52040 4a4baf2 5 API calls 52038->52040 52041 4a4b88e 5 API calls 52038->52041 52039->52016 52040->52039 52041->52039 52042->52038 52043->52038 52046 4a4b961 52044->52046 52045 4a4bb21 52045->52030 52046->52045 52058 4a4d470 52046->52058 52065 4a4dd97 52046->52065 52070 4a4d6ff 52046->52070 52075 4a4dd8e 52046->52075 52053 4a4b898 52051->52053 52052 4a4bb21 52052->52030 52053->52052 52054 4a4dd97 CreateFileA 52053->52054 52055 4a4d470 5 API calls 52053->52055 52056 4a4dd8e CreateFileA 52053->52056 52057 4a4d6ff CreateFileA 52053->52057 52054->52053 52055->52053 52056->52053 52057->52053 52059 4a4d4a1 52058->52059 52061 4a4d4f7 52059->52061 52080 4a4e3fe 52059->52080 52060 4a4de7e 52060->52060 52086 50f2270 52061->52086 52092 50f2280 52061->52092 52066 4a4dda2 52065->52066 52068 50f2270 CreateFileA 52066->52068 52069 50f2280 CreateFileA 52066->52069 52067 4a4de7e 52067->52067 52068->52067 52069->52067 52071 4a4d70b 52070->52071 52073 50f2270 CreateFileA 52071->52073 52074 50f2280 CreateFileA 52071->52074 52072 4a4de7e 52072->52072 52073->52072 52074->52072 52076 4a4ddf1 52075->52076 52078 50f2270 CreateFileA 52076->52078 52079 50f2280 CreateFileA 52076->52079 52077 4a4de7e 52077->52077 52078->52077 52079->52077 52081 4a4e424 52080->52081 52083 4a4e46c 52081->52083 52098 55d5d79 52081->52098 52106 55d5d88 52081->52106 52082 4a4e4fc 52083->52061 52087 50f2280 52086->52087 52089 50f22b7 52087->52089 52145 50f23d0 52087->52145 52089->52060 52091 50f23d0 CreateFileA 52091->52089 52093 50f229e 52092->52093 52095 50f22b7 52093->52095 52097 50f23d0 CreateFileA 52093->52097 52094 50f22e0 52096 50f23d0 CreateFileA 52094->52096 52095->52060 52096->52095 52097->52094 52099 55d5d88 52098->52099 52100 55d5dac 52099->52100 52114 55d6310 52099->52114 52121 55d6300 52099->52121 52101 55d5db5 52100->52101 52102 55d6310 4 API calls 52100->52102 52103 55d6300 4 API calls 52100->52103 52101->52082 52102->52100 52103->52100 52107 55d5dbc 52106->52107 52108 55d5dac 52106->52108 52112 55d6310 4 API calls 52107->52112 52113 55d6300 4 API calls 52107->52113 52109 55d5db5 52108->52109 52110 55d6310 4 API calls 52108->52110 52111 55d6300 4 API calls 52108->52111 52109->52082 52110->52108 52111->52108 52112->52108 52113->52108 52115 55d6335 52114->52115 52117 55d6345 52114->52117 52116 55d633e 52115->52116 52142 55d5f30 52115->52142 52116->52100 52128 55d647f 52117->52128 52135 55d6490 52117->52135 52124 55d6310 52121->52124 52122 55d633e 52122->52100 52123 55d6335 52123->52122 52125 55d5f30 ProcessIdToSessionId 52123->52125 52124->52123 52126 55d647f 2 API calls 52124->52126 52127 55d6490 2 API calls 52124->52127 52125->52123 52126->52123 52127->52123 52131 55d6490 52128->52131 52129 55d64b0 52129->52115 52130 55d6622 K32EnumProcesses 52132 55d665a 52130->52132 52133 55d5f3c K32EnumProcesses 52131->52133 52134 55d64a7 52131->52134 52132->52115 52133->52131 52134->52129 52134->52130 52136 55d64ba 52135->52136 52141 55d64a7 52135->52141 52140 55d5f3c K32EnumProcesses 52136->52140 52136->52141 52137 55d64b0 52137->52115 52138 55d6622 K32EnumProcesses 52139 55d665a 52138->52139 52139->52115 52140->52136 52141->52137 52141->52138 52143 55d66c0 ProcessIdToSessionId 52142->52143 52144 55d6733 52143->52144 52144->52115 52146 50f23ed 52145->52146 52150 50f5ec0 52146->52150 52154 50f5ed0 52146->52154 52151 50f5ed0 52150->52151 52158 50f5474 52151->52158 52155 50f5ee3 52154->52155 52156 50f5474 CreateFileA 52155->52156 52157 50f22e0 52156->52157 52157->52091 52159 50f5f20 CreateFileA 52158->52159 52161 50f6055 52159->52161 52163 55d0ae8 52162->52163 52170 55d0260 52163->52170 52167 55d0ad8 52166->52167 52169 55d0260 CryptUnprotectData 52167->52169 52168 55d0af3 52168->51943 52169->52168 52171 55d0265 52170->52171 52175 55d027f 52171->52175 52180 55d0290 52171->52180 52172 55d027d 52172->51943 52177 55d0290 52175->52177 52176 55d02d8 52176->52172 52177->52176 52178 55d0d31 CryptUnprotectData 52177->52178 52179 55d0d40 CryptUnprotectData 52177->52179 52178->52176 52179->52176 52181 55d02b5 52180->52181 52182 55d02d8 52181->52182 52183 55d0d31 CryptUnprotectData 52181->52183 52184 55d0d40 CryptUnprotectData 52181->52184 52182->52172 52183->52182 52184->52182 52185 50f2448 52186 50f248a 52185->52186 52187 50f2490 WaitNamedPipeW 52185->52187 52186->52187 52188 50f24c4 52187->52188 52360 50f2058 52361 50f20ac ConnectNamedPipe 52360->52361 52362 50f20e8 52361->52362 52390 3905f68 52391 3905f8c 52390->52391 52392 3905f9c 52390->52392 52393 3905f95 52391->52393 52396 3906598 2 API calls 52391->52396 52397 390652d 2 API calls 52391->52397 52398 3906598 52392->52398 52406 390652d 52392->52406 52396->52391 52397->52391 52399 39065cb 52398->52399 52401 39065bb 52398->52401 52404 f9f930 2 API calls 52399->52404 52405 f9f920 2 API calls 52399->52405 52400 39065c4 52400->52391 52401->52400 52402 f9f930 2 API calls 52401->52402 52403 f9f920 2 API calls 52401->52403 52402->52401 52403->52401 52404->52401 52405->52401 52407 390653d 52406->52407 52409 39065bb 52407->52409 52412 f9f930 2 API calls 52407->52412 52413 f9f920 2 API calls 52407->52413 52408 39065c4 52408->52391 52409->52408 52410 f9f930 2 API calls 52409->52410 52411 f9f920 2 API calls 52409->52411 52410->52409 52411->52409 52412->52409 52413->52409 52189 f936b0 52190 f936c6 52189->52190 52196 f94c67 52190->52196 52191 f936cc 52192 f93764 52191->52192 52201 f9e5d8 52191->52201 52193 f93739 52197 f94c90 52196->52197 52198 f94d1d RtlGetVersion 52197->52198 52200 f94cc6 52197->52200 52199 f94dda 52198->52199 52199->52191 52200->52191 52202 f9e614 52201->52202 52203 f9e62e 52201->52203 52202->52203 52206 f9ea99 52202->52206 52210 f9eaa8 52202->52210 52203->52193 52208 f9eaa1 52206->52208 52207 f9eb06 52207->52203 52208->52207 52214 f9eb50 52208->52214 52212 f9eace 52210->52212 52211 f9eb06 52211->52203 52212->52211 52213 f9eb50 2 API calls 52212->52213 52213->52211 52215 f9eb8e 52214->52215 52223 f9f788 52215->52223 52228 f9f786 52215->52228 52216 f9ee2f 52217 f9edb7 52217->52216 52233 3900a23 52217->52233 52237 3900a48 52217->52237 52241 3900ad0 52217->52241 52224 f9f7ac 52223->52224 52225 f9f7b3 52223->52225 52224->52225 52246 f9f930 52224->52246 52261 f9f920 52224->52261 52225->52217 52229 f9f788 52228->52229 52230 f9f7b3 52229->52230 52231 f9f930 2 API calls 52229->52231 52232 f9f920 2 API calls 52229->52232 52230->52217 52231->52230 52232->52230 52234 3900a48 52233->52234 52235 3900510 2 API calls 52234->52235 52236 3900a85 52235->52236 52236->52217 52238 3900a6d 52237->52238 52239 3900510 2 API calls 52238->52239 52240 3900a85 52239->52240 52240->52217 52242 3900a73 52241->52242 52243 3900af2 52241->52243 52244 3900510 2 API calls 52242->52244 52243->52217 52245 3900a85 52244->52245 52245->52217 52247 f9f963 52246->52247 52249 f9f953 52246->52249 52247->52249 52255 f9f930 2 API calls 52247->52255 52260 f9f920 2 API calls 52247->52260 52276 f9a4c8 52247->52276 52281 f9fab8 52247->52281 52297 f9a4b8 52247->52297 52302 39048f0 52247->52302 52309 39048e2 52247->52309 52316 f9fbc0 52247->52316 52322 f9faab 52247->52322 52248 f9f95c 52248->52225 52249->52248 52250 39048f0 2 API calls 52249->52250 52251 39048e2 2 API calls 52249->52251 52250->52249 52251->52249 52255->52249 52260->52249 52262 f9f930 52261->52262 52264 f9f953 52262->52264 52265 39048f0 2 API calls 52262->52265 52266 f9a4b8 2 API calls 52262->52266 52267 f9fab8 2 API calls 52262->52267 52268 f9f930 2 API calls 52262->52268 52269 f9a4c8 2 API calls 52262->52269 52270 39048e2 2 API calls 52262->52270 52271 f9faab 2 API calls 52262->52271 52272 f9fbc0 2 API calls 52262->52272 52273 f9f920 2 API calls 52262->52273 52263 f9f95c 52263->52225 52264->52263 52274 39048f0 2 API calls 52264->52274 52275 39048e2 2 API calls 52264->52275 52265->52264 52266->52264 52267->52264 52268->52264 52269->52264 52270->52264 52271->52264 52272->52264 52273->52264 52274->52264 52275->52264 52277 f9a4f9 52276->52277 52278 f9a4ed 52276->52278 52277->52278 52279 39048f0 2 API calls 52277->52279 52280 39048e2 2 API calls 52277->52280 52278->52249 52279->52278 52280->52278 52282 f9fadb 52281->52282 52284 f9faeb 52281->52284 52283 f9fae4 52282->52283 52291 f9fab8 2 API calls 52282->52291 52292 f9faab 2 API calls 52282->52292 52293 f9f930 2 API calls 52282->52293 52294 f9f920 2 API calls 52282->52294 52283->52249 52286 f9fab8 2 API calls 52284->52286 52287 f9faab 2 API calls 52284->52287 52288 f9f930 2 API calls 52284->52288 52289 f9f920 2 API calls 52284->52289 52290 f9fbc0 2 API calls 52284->52290 52285 f9fb2c 52285->52283 52338 3900007 52285->52338 52344 3900040 52285->52344 52286->52285 52287->52285 52288->52285 52289->52285 52290->52285 52291->52285 52292->52285 52293->52285 52294->52285 52298 f9a4f9 52297->52298 52299 f9a4ed 52297->52299 52298->52299 52300 39048f0 2 API calls 52298->52300 52301 39048e2 2 API calls 52298->52301 52299->52249 52300->52299 52301->52299 52304 3904924 52302->52304 52305 3904914 52302->52305 52303 390491d 52303->52249 52307 f9f930 2 API calls 52304->52307 52308 f9f920 2 API calls 52304->52308 52305->52303 52306 3906730 2 API calls 52305->52306 52306->52303 52307->52305 52308->52305 52311 3904924 52309->52311 52312 3904914 52309->52312 52310 390491d 52310->52249 52314 f9f930 2 API calls 52311->52314 52315 f9f920 2 API calls 52311->52315 52312->52310 52313 3906730 2 API calls 52312->52313 52313->52310 52314->52312 52315->52312 52317 f9fb5a 52316->52317 52319 f9fbcb 52316->52319 52318 f9fb5f 52317->52318 52320 3900040 2 API calls 52317->52320 52321 3900007 2 API calls 52317->52321 52318->52249 52319->52249 52320->52318 52321->52318 52323 f9fadb 52322->52323 52325 f9faeb 52322->52325 52324 f9fae4 52323->52324 52332 f9fab8 2 API calls 52323->52332 52333 f9faab 2 API calls 52323->52333 52334 f9f930 2 API calls 52323->52334 52335 f9f920 2 API calls 52323->52335 52324->52249 52327 f9fab8 2 API calls 52325->52327 52328 f9faab 2 API calls 52325->52328 52329 f9f930 2 API calls 52325->52329 52330 f9f920 2 API calls 52325->52330 52331 f9fbc0 2 API calls 52325->52331 52326 f9fb2c 52326->52324 52336 3900040 2 API calls 52326->52336 52337 3900007 2 API calls 52326->52337 52327->52326 52328->52326 52329->52326 52330->52326 52331->52326 52332->52326 52333->52326 52334->52326 52335->52326 52336->52324 52337->52324 52339 3900040 52338->52339 52341 3900510 2 API calls 52339->52341 52350 3900503 52339->52350 52355 39004a0 52339->52355 52340 39000d1 52340->52283 52341->52340 52345 390005f 52344->52345 52347 3900510 2 API calls 52345->52347 52348 39004a0 2 API calls 52345->52348 52349 3900503 2 API calls 52345->52349 52346 39000d1 52346->52283 52347->52346 52348->52346 52349->52346 52351 390049a 52350->52351 52351->52350 52352 3900536 52351->52352 52353 50f0c60 2 API calls 52351->52353 52354 50f0c70 2 API calls 52351->52354 52352->52340 52353->52352 52354->52352 52356 390049a 52355->52356 52356->52355 52357 3900536 52356->52357 52358 50f0c60 2 API calls 52356->52358 52359 50f0c70 2 API calls 52356->52359 52357->52340 52358->52357 52359->52357 52363 55d0040 52364 55d0067 52363->52364 52365 55d0120 52364->52365 52366 55d0260 CryptUnprotectData 52364->52366 52366->52364 52367 50f2f10 52369 50f2f22 52367->52369 52368 50f2f66 52369->52368 52371 50f2f6f 52369->52371 52373 50f2fab 52371->52373 52372 50f33f0 52373->52372 52376 f97481 52373->52376 52381 f97490 52373->52381 52377 f97490 52376->52377 52378 f974d5 52377->52378 52379 f9f930 2 API calls 52377->52379 52380 f9f920 2 API calls 52377->52380 52378->52373 52379->52378 52380->52378 52382 f974ba 52381->52382 52383 f974d5 52382->52383 52384 f9f930 2 API calls 52382->52384 52385 f9f920 2 API calls 52382->52385 52383->52373 52384->52383 52385->52383 52386 50f18a0 52387 50f18f3 CreateProcessAsUserW 52386->52387 52389 50f1984 52387->52389

                                                                                                              Executed Functions

                                                                                                              Function 00F94C67 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 174 f94c67-f94cb3 179 f94d02-f94d08 174->179 180 f94cb5-f94cc4 call f94848 174->180 183 f94d09-f94dd8 RtlGetVersion 180->183 184 f94cc6-f94ccb 180->184 189 f94dda-f94de0 183->189 190 f94de1-f94e24 183->190 196 f94cce call f952f8 184->196 197 f94cce call f952e8 184->197 185 f94cd4 185->179 189->190 194 f94e2b-f94e32 190->194 195 f94e26 190->195 195->194 196->185 197->185
                                                                                                              APIs
                                                                                                              • RtlGetVersion.NTDLL(0000009C), ref: 00F94DBE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3951188068.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_f90000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Version
                                                                                                              • String ID: `Q]q$`Q]q
                                                                                                              • API String ID: 1889659487-3952371890
                                                                                                              • Opcode ID: 284889890c38f143f3f80306e227ad05aa855e8c3ba5a55685e3ac1eafe7c5bc
                                                                                                              • Instruction ID: 404f40b07a67a6a9a43d3854d7034e7907d7a706c29ee1c37244995439950ef9
                                                                                                              • Opcode Fuzzy Hash: 284889890c38f143f3f80306e227ad05aa855e8c3ba5a55685e3ac1eafe7c5bc
                                                                                                              • Instruction Fuzzy Hash: 1B418D74A003199FDB20AF68C849BAEBBB5FF45310F0484E9D50CA7281DB756A59CF92
                                                                                                              Function 04A47E10 Relevance: 4.0, Strings: 2, Instructions: 1496COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `Q]q$3yk
                                                                                                              • API String ID: 0-767385969
                                                                                                              • Opcode ID: 3d1c78dd64cd4ad4de48e640ad664c9078349f7d717b97607ac6896c0f167051
                                                                                                              • Instruction ID: 851c59cd0d4ea7c0a78625122d8e4c11fe405247d0d24f3c22a1fbced6233aa5
                                                                                                              • Opcode Fuzzy Hash: 3d1c78dd64cd4ad4de48e640ad664c9078349f7d717b97607ac6896c0f167051
                                                                                                              • Instruction Fuzzy Hash: B3E22874E00619CFDB25EF28C954A9DB7B6FF89304F1085EAD409AB264DB74AE85CF40
                                                                                                              Function 050F19C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69pipeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 630 50f19c8-50f1a0a 631 50f1a0c-50f1a0f 630->631 632 50f1a12-50f1a77 CreateNamedPipeW 630->632 631->632 634 50f1a79-50f1a7f 632->634 635 50f1a80-50f1aa1 632->635 634->635
                                                                                                              APIs
                                                                                                              • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 050F1A64
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID: 4L]q
                                                                                                              • API String ID: 2489174969-261793533
                                                                                                              • Opcode ID: a67dfc775de82a2bd4e012ac14459eb7c74f18200d3deffd92176626592581e7
                                                                                                              • Instruction ID: cec51e03dbe8fb6508c540038cff470115ae19284e49971538cca8515f1544a8
                                                                                                              • Opcode Fuzzy Hash: a67dfc775de82a2bd4e012ac14459eb7c74f18200d3deffd92176626592581e7
                                                                                                              • Instruction Fuzzy Hash: CB3100B1800348DFCB10CF9AD588A8EBFF5BF48314F14C069E919AB221D376A955CF60
                                                                                                              Function 04A49C00 Relevance: 2.1, Strings: 1, Instructions: 824COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 883 4a49c00-4a49c31 885 4a49c33-4a49c3f 883->885 886 4a49c69-4a49cae 883->886 1095 4a49c45 call 4a4a1a7 885->1095 1096 4a49c45 call 4a49c00 885->1096 1097 4a49c45 call 4a49bf0 885->1097 1098 4a49c45 call 4a4a7a1 885->1098 1099 4a49c45 call 4a4a8c9 885->1099 891 4a49cb7-4a49cc1 886->891 892 4a49cb0-4a49cb5 886->892 890 4a49c4b-4a49c4d 1100 4a49c4f call 50f47df 890->1100 1101 4a49c4f call 50f47f0 890->1101 894 4a4a796-4a4a82a 891->894 895 4a49cc7-4a49cca 891->895 893 4a49ccd-4a49ce0 892->893 897 4a49ce2-4a49ce7 893->897 898 4a49ce9-4a49cf3 893->898 1106 4a4a82d call 4a4a1a7 894->1106 1107 4a4a82d call 4a49c00 894->1107 1108 4a4a82d call 4a49bf0 894->1108 1109 4a4a82d call 4a4a7a1 894->1109 1110 4a4a82d call 4a4a918 894->1110 1111 4a4a82d call 4a4a8c9 894->1111 895->893 896 4a49c55-4a49c66 900 4a49cff-4a49e97 call 4a477ec 897->900 898->894 901 4a49cf9-4a49cfc 898->901 925 4a49e9d-4a49f09 900->925 901->900 918 4a4a830-4a4a83c 920 4a4a842-4a4a84b 918->920 921 4a4a8f9 918->921 922 4a4a900-4a4a937 920->922 923 4a4a851-4a4a8bd 920->923 921->922 1092 4a4a93d call 4a4ada0 922->1092 1093 4a4a93d call 4a4ad40 922->1093 1094 4a4a93d call 4a4ad50 922->1094 1102 4a4a8bf call 3906e70 923->1102 1103 4a4a8bf call 3906e61 923->1103 948 4a4a26f-4a4a273 925->948 949 4a49f0f-4a49f1b 925->949 929 4a4a943-4a4a9f4 1104 4a4a9f6 call 50f2a41 929->1104 1105 4a4a9f6 call 50f2a50 929->1105 951 4a4a275-4a4a286 948->951 952 4a4a2b7-4a4a2e9 948->952 959 4a4a1b0-4a4a1b7 949->959 960 4a49f21-4a49f2d 949->960 951->952 972 4a4a288-4a4a2b1 951->972 971 4a4a46f-4a4a488 952->971 954 4a4a8c4-4a4a8f8 962 4a4a22c-4a4a26d 959->962 963 4a4a1b9-4a4a224 call 4a47808 959->963 960->959 968 4a49f33-4a49f44 960->968 962->952 963->962 985 4a4a10e-4a4a18b call 4a477fc call 4a47808 968->985 986 4a49f4a-4a49f8b 968->986 987 4a4a2ee-4a4a30e 971->987 988 4a4a48e-4a4a495 971->988 972->952 1019 4a4a5af 985->1019 1043 4a4a191-4a4a1a2 985->1043 1035 4a49f90-4a49fa5 986->1035 1036 4a49f8d 986->1036 1012 4a4a316-4a4a31c 987->1012 1013 4a4a310 987->1013 993 4a4a497-4a4a4b9 988->993 994 4a4a4bf-4a4a4c5 988->994 993->994 1000 4a4a507-4a4a50a 994->1000 1001 4a4a4c7-4a4a502 994->1001 1002 4a4a50c-4a4a512 1000->1002 1003 4a4a579-4a4a5a8 1000->1003 1026 4a4a5b4-4a4a5bb 1001->1026 1007 4a4a514-4a4a51a 1002->1007 1008 4a4a53e-4a4a572 1002->1008 1003->1019 1007->1008 1015 4a4a51c-4a4a523 1007->1015 1008->1003 1018 4a4a322-4a4a334 1012->1018 1012->1019 1013->1012 1015->925 1021 4a4a529-4a4a53c 1015->1021 1016 4a4a9fc-4a4ac22 1037 4a4a336-4a4a339 1018->1037 1038 4a4a34e-4a4a35e 1018->1038 1019->1026 1021->1026 1028 4a4a5bd 1026->1028 1029 4a4a5c9 1026->1029 1028->1029 1029->894 1048 4a49fa7 1035->1048 1049 4a49fae-4a49fc3 1035->1049 1036->1035 1037->1019 1042 4a4a33f-4a4a349 1037->1042 1051 4a4a360-4a4a363 1038->1051 1052 4a4a37c-4a4a38c 1038->1052 1042->971 1043->962 1048->1049 1059 4a49fc5 1049->1059 1060 4a49fcc-4a4a0b9 call 4a477fc 1049->1060 1051->1019 1054 4a4a369-4a4a377 1051->1054 1057 4a4a38e-4a4a391 1052->1057 1058 4a4a3b8-4a4a3c8 1052->1058 1054->971 1057->1019 1062 4a4a397-4a4a3a7 1057->1062 1066 4a4a3ff-4a4a40f 1058->1066 1067 4a4a3ca-4a4a3cd 1058->1067 1059->1060 1060->985 1062->1058 1068 4a4a3a9-4a4a3b3 1062->1068 1072 4a4a411-4a4a414 1066->1072 1073 4a4a43b-4a4a44b 1066->1073 1067->1019 1069 4a4a3d3-4a4a3e3 1067->1069 1068->971 1069->1066 1078 4a4a3e5-4a4a3e9 1069->1078 1072->1019 1077 4a4a41a-4a4a42a 1072->1077 1073->971 1084 4a4a44d-4a4a450 1073->1084 1077->1073 1086 4a4a42c-4a4a430 1077->1086 1078->1066 1079 4a4a3eb-4a4a3ee 1078->1079 1079->1019 1082 4a4a3f4-4a4a3fd 1079->1082 1082->971 1084->1019 1087 4a4a456-4a4a466 1084->1087 1086->1073 1089 4a4a432-4a4a439 1086->1089 1087->971 1091 4a4a468 1087->1091 1089->971 1091->971 1092->929 1093->929 1094->929 1095->890 1096->890 1097->890 1098->890 1099->890 1100->896 1101->896 1102->954 1103->954 1104->1016 1105->1016 1106->918 1107->918 1108->918 1109->918 1110->918 1111->918
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 0-3772416878
                                                                                                              • Opcode ID: 6ca667a7bf109264afec9ebdab1629c4cfdd2d552de77b3e41addbad0f87c1ca
                                                                                                              • Instruction ID: b70cabb20aa9b70fcf4abe4a5bf2d1b1d3c9ba4d6c1e3bca9eaaafc53d3d9dcc
                                                                                                              • Opcode Fuzzy Hash: 6ca667a7bf109264afec9ebdab1629c4cfdd2d552de77b3e41addbad0f87c1ca
                                                                                                              • Instruction Fuzzy Hash: E9726E71E402198FDB24DF64C854BAEB7B6BFC8300F1185A9D509AB390EB74AD85CF91
                                                                                                              Function 04A4D470 Relevance: 1.8, Strings: 1, Instructions: 567COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1112 4a4d470-4a4d4ef 1266 4a4d4f1 call 4a4e3fe 1112->1266 1267 4a4d4f1 call 4a4e56a 1112->1267 1120 4a4d4f7-4a4d545 call 4a4f440 1127 4a4d547-4a4d56f 1120->1127 1128 4a4d57a-4a4d60a 1120->1128 1127->1128 1142 4a4d652-4a4d6a1 call 4a4d434 1128->1142 1143 4a4d60c-4a4d631 call 4a4f7e3 1128->1143 1153 4a4d6d4-4a4d80c call 4a4d44c 1142->1153 1154 4a4d6a3-4a4d6d1 1142->1154 1145 4a4d637-4a4d64d 1143->1145 1148 4a4ddf1-4a4de75 1145->1148 1268 4a4de78 call 50f2270 1148->1268 1269 4a4de78 call 50f2280 1148->1269 1170 4a4d822-4a4d8a5 1153->1170 1171 4a4d80e-4a4d81a 1153->1171 1154->1153 1166 4a4de7e-4a4df0b call 4a4370b 1190 4a4df0d-4a4df29 1166->1190 1185 4a4d9db-4a4d9fe 1170->1185 1186 4a4d8ab-4a4d8de 1170->1186 1171->1170 1196 4a4da00-4a4da2e 1185->1196 1197 4a4da31-4a4da59 1185->1197 1199 4a4d8e4-4a4d904 1186->1199 1200 4a4d9be 1186->1200 1194 4a4df37 1190->1194 1195 4a4df2b-4a4df2e 1190->1195 1202 4a4df38 1194->1202 1195->1194 1196->1197 1212 4a4da8f-4a4dabc 1197->1212 1213 4a4da5b-4a4da89 1197->1213 1208 4a4d9a9-4a4d9bc 1199->1208 1209 4a4d90a-4a4d913 1199->1209 1206 4a4d9c3-4a4d9ca 1200->1206 1202->1202 1210 4a4d9cc 1206->1210 1211 4a4d9d8 1206->1211 1208->1206 1209->1200 1214 4a4d919-4a4d927 1209->1214 1210->1211 1211->1185 1218 4a4daee-4a4db1a 1212->1218 1219 4a4dabe-4a4dae8 1212->1219 1213->1212 1221 4a4d999-4a4d9a3 1214->1221 1222 4a4d929-4a4d93e 1214->1222 1229 4a4db4c-4a4dbf7 1218->1229 1230 4a4db1c-4a4db46 1218->1230 1219->1218 1221->1208 1221->1209 1225 4a4d940-4a4d98a 1222->1225 1226 4a4d98c-4a4d98e 1222->1226 1225->1226 1226->1221 1247 4a4dc29-4a4dc6c 1229->1247 1248 4a4dbf9-4a4dc23 1229->1248 1230->1229 1256 4a4dcb2-4a4dcce 1247->1256 1257 4a4dc6e-4a4dcb0 1247->1257 1248->1247 1259 4a4dcd0 1256->1259 1260 4a4dcdc 1256->1260 1257->1256 1259->1260 1260->1148 1266->1120 1267->1120 1268->1166 1269->1166
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Pj
                                                                                                              • API String ID: 0-2054447573
                                                                                                              • Opcode ID: c0ddfe07e671a7d86034529b7dd26b714752ac66a7afda32827a6e41d9f515a6
                                                                                                              • Instruction ID: b79344fc9aad446c017071fcd21d31580a2355c8eb941670bdd0ee9a17c0a8aa
                                                                                                              • Opcode Fuzzy Hash: c0ddfe07e671a7d86034529b7dd26b714752ac66a7afda32827a6e41d9f515a6
                                                                                                              • Instruction Fuzzy Hash: EF325B70A002189FDB14DF68D994A9DBBB6FFC8304F1185A9E809EB365DB34AD45CF90
                                                                                                              Function 050F18A0 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 050F196F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcessUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217836671-0
                                                                                                              • Opcode ID: bd728e1161f9869586cbb9028605d1fe639abaa892ec0d0fc44474259312c86f
                                                                                                              • Instruction ID: 3f5a7920fff3180fcf8e1f46c4c7c70d3d2f13ccbeb26bce19910ac4d258a3fa
                                                                                                              • Opcode Fuzzy Hash: bd728e1161f9869586cbb9028605d1fe639abaa892ec0d0fc44474259312c86f
                                                                                                              • Instruction Fuzzy Hash: D9413376900209DFCF10CFA9D884ADEBBF6FF48310F14842AE918A7250D735A955CF90
                                                                                                              Function 055D0690 Relevance: 1.6, APIs: 1, Instructions: 87encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 055D2ED5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDataUnprotect
                                                                                                              • String ID:
                                                                                                              • API String ID: 834300711-0
                                                                                                              • Opcode ID: b1bf996f73e8ebc50a22d0fc7b61f97075860774c8d1b4d1875baaa142505d01
                                                                                                              • Instruction ID: c92a9acbc17cfe176dbc49396f73af23510377475b0ab90eb3e15f26db9f768c
                                                                                                              • Opcode Fuzzy Hash: b1bf996f73e8ebc50a22d0fc7b61f97075860774c8d1b4d1875baaa142505d01
                                                                                                              • Instruction Fuzzy Hash: F331EEB2804249DFCB10DF9CC484BEEBFB4FF49320F14445AE954A7251D339A446CBA5
                                                                                                              Function 055D06C4 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 055D2ED5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDataUnprotect
                                                                                                              • String ID:
                                                                                                              • API String ID: 834300711-0
                                                                                                              • Opcode ID: b026026a62228d0759ef9b014074c99d927fe4962153bfe5720fc155783ba953
                                                                                                              • Instruction ID: 776cfcff5bfd01dec116105394b4dee39f6f10d0b75427369f56cdc7bfede40e
                                                                                                              • Opcode Fuzzy Hash: b026026a62228d0759ef9b014074c99d927fe4962153bfe5720fc155783ba953
                                                                                                              • Instruction Fuzzy Hash: 6C2136B68002499FCF20DF99C845BEEBBF5FF48320F108459EA14A7210C339A555DFA5
                                                                                                              Function 055D2E69 Relevance: 1.6, APIs: 1, Instructions: 56encryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 055D2ED5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CryptDataUnprotect
                                                                                                              • String ID:
                                                                                                              • API String ID: 834300711-0
                                                                                                              • Opcode ID: 266a612a5a81c1c097b6fbc4d69a5d5db4608fb53f867dd76825e86ce9aa833c
                                                                                                              • Instruction ID: 31186b1afad06737a5accddbceadd257d5c7ff231972669336c44cba0ebd7adb
                                                                                                              • Opcode Fuzzy Hash: 266a612a5a81c1c097b6fbc4d69a5d5db4608fb53f867dd76825e86ce9aa833c
                                                                                                              • Instruction Fuzzy Hash: 032133B68002499FCF20DF99C845BEEBBF4FF48320F148419EA18A7250C739A551DFA1
                                                                                                              Function 039032E0 Relevance: 6.5, Strings: 5, Instructions: 253COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 39032e0-390332d 4 39032bb-39032d4 0->4 5 390332f-39033d5 call 3903648 0->5 19 39033d7-39033ed 5->19 20 3903418-390357e 5->20 23 39033f6-3903416 19->23 24 39033ef 19->24 69 3903581 call 4a42080 20->69 70 3903581 call 4a42090 20->70 23->20 24->23 54 3903587-3903645 69->54 70->54
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4']q$4']q$4']q$4']q$4']q
                                                                                                              • API String ID: 0-4248691736
                                                                                                              • Opcode ID: 9d8b4fa25f1696770f2cb3648c454ab8aea2fd891b0cd9d34870dc342cdb46d0
                                                                                                              • Instruction ID: b07731fb60b7027cc7482a600a75af754655076eefabbeb751755e4c519c84a4
                                                                                                              • Opcode Fuzzy Hash: 9d8b4fa25f1696770f2cb3648c454ab8aea2fd891b0cd9d34870dc342cdb46d0
                                                                                                              • Instruction Fuzzy Hash: 9DA1AD306047059FC719EB7CD991A8EBBFAFF85300B408A69D049DB3A5DB74A90DCB91
                                                                                                              Function 03903330 Relevance: 6.5, Strings: 5, Instructions: 211COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 72 3903330-39033d5 call 3903648 84 39033d7-39033ed 72->84 85 3903418-390357e 72->85 88 39033f6-3903416 84->88 89 39033ef 84->89 134 3903581 call 4a42080 85->134 135 3903581 call 4a42090 85->135 88->85 89->88 119 3903587-3903645 134->119 135->119
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4']q$4']q$4']q$4']q$4']q
                                                                                                              • API String ID: 0-4248691736
                                                                                                              • Opcode ID: 231d341b69d399a7073cf2136ae0058fa5b42d44e4c2ca652c88b6d9885b58ca
                                                                                                              • Instruction ID: e03abc350663a6b3a6a510d8c0c7a74ce4679e436aaa9bfa088266d5e156bf7b
                                                                                                              • Opcode Fuzzy Hash: 231d341b69d399a7073cf2136ae0058fa5b42d44e4c2ca652c88b6d9885b58ca
                                                                                                              • Instruction Fuzzy Hash: 4D817E30600B059FC719EF78E590A9EBBEAFF84300B408A68D149DB755DB75BA0DCB91
                                                                                                              Function 050F5E91 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 144COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 137 50f5e91-50f5eb3 140 50f5e6d-50f5e7b 137->140 141 50f5eb5-50f5eb7 137->141 144 50f5e7d-50f5e80 140->144 145 50f5e35-50f5e41 140->145 142 50f5f2a-50f5f7c 141->142 143 50f5eb9-50f5ebb 141->143 146 50f5f7e-50f5fa3 142->146 147 50f5fd0-50f6053 CreateFileA 142->147 143->142 148 50f5e0b-50f5e87 144->148 149 50f5e82-50f5e83 144->149 146->147 158 50f5fa5-50f5fa7 146->158 162 50f605c-50f609a 147->162 163 50f6055-50f605b 147->163 160 50f5fca-50f5fcd 158->160 161 50f5fa9-50f5fb3 158->161 160->147 164 50f5fb7-50f5fc6 161->164 165 50f5fb5 161->165 170 50f609c-50f60a0 162->170 171 50f60aa 162->171 163->162 164->164 166 50f5fc8 164->166 165->164 166->160 170->171 172 50f60a2 170->172 173 50f60ab 171->173 172->171 173->173
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4L]q$_
                                                                                                              • API String ID: 0-3577883019
                                                                                                              • Opcode ID: aa33209e03dfa44cba46b20b74acceda79ce31072359fa2aa189e87787e82ad1
                                                                                                              • Instruction ID: d6d9159d178722c83e6eadb9f58ed711804f380d02103f9b2597710249d8e758
                                                                                                              • Opcode Fuzzy Hash: aa33209e03dfa44cba46b20b74acceda79ce31072359fa2aa189e87787e82ad1
                                                                                                              • Instruction Fuzzy Hash: A851CB70D043499FDB15CFA8D845B9EBFF1FF48314F2580AAE804AB692C7799846CB91
                                                                                                              Function 050F5474 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 578 50f5474-50f5f7c 580 50f5f7e-50f5fa3 578->580 581 50f5fd0-50f6053 CreateFileA 578->581 580->581 584 50f5fa5-50f5fa7 580->584 588 50f605c-50f609a 581->588 589 50f6055-50f605b 581->589 586 50f5fca-50f5fcd 584->586 587 50f5fa9-50f5fb3 584->587 586->581 590 50f5fb7-50f5fc6 587->590 591 50f5fb5 587->591 596 50f609c-50f60a0 588->596 597 50f60aa 588->597 589->588 590->590 592 50f5fc8 590->592 591->590 592->586 596->597 598 50f60a2 596->598 599 50f60ab 597->599 598->597 599->599
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 050F603D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID: 4L]q
                                                                                                              • API String ID: 823142352-261793533
                                                                                                              • Opcode ID: bc5d6eedda1df9e2c88dd8c633e19400d1e7b28bc97889306bf5eed0d524ccaf
                                                                                                              • Instruction ID: e2c66e58194cbba2ab102f71849f4f962304dbce124d87ac03793decfde7af86
                                                                                                              • Opcode Fuzzy Hash: bc5d6eedda1df9e2c88dd8c633e19400d1e7b28bc97889306bf5eed0d524ccaf
                                                                                                              • Instruction Fuzzy Hash: 5A516870D003499FDB10CFA9D845B9EBBF2FB48304F248169E908AB755D77A9845CF91
                                                                                                              Function 050F5F14 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 600 50f5f14-50f5f7c 601 50f5f7e-50f5fa3 600->601 602 50f5fd0-50f6053 CreateFileA 600->602 601->602 605 50f5fa5-50f5fa7 601->605 609 50f605c-50f609a 602->609 610 50f6055-50f605b 602->610 607 50f5fca-50f5fcd 605->607 608 50f5fa9-50f5fb3 605->608 607->602 611 50f5fb7-50f5fc6 608->611 612 50f5fb5 608->612 617 50f609c-50f60a0 609->617 618 50f60aa 609->618 610->609 611->611 613 50f5fc8 611->613 612->611 613->607 617->618 619 50f60a2 617->619 620 50f60ab 618->620 619->618 620->620
                                                                                                              APIs
                                                                                                              • CreateFileA.KERNEL32(?,80000000,?,?,?,00000001,00000004), ref: 050F603D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID: 4L]q
                                                                                                              • API String ID: 823142352-261793533
                                                                                                              • Opcode ID: 481261b16cd9f1118fecbc4680ce4950ef1ea869844c7e79e8fee7faf1263493
                                                                                                              • Instruction ID: a4d024424013f0a17cb3f926ee10fa9aad3d9b91d706a354a32177f9ac383929
                                                                                                              • Opcode Fuzzy Hash: 481261b16cd9f1118fecbc4680ce4950ef1ea869844c7e79e8fee7faf1263493
                                                                                                              • Instruction Fuzzy Hash: D55165B0D002499FDB10CFA9D985B9EBBF2BF48304F248169E908AB795D7799845CF81
                                                                                                              Function 050F19C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72pipeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 621 50f19c0-50f1a0a 623 50f1a0c-50f1a0f 621->623 624 50f1a12-50f1a77 CreateNamedPipeW 621->624 623->624 626 50f1a79-50f1a7f 624->626 627 50f1a80-50f1aa1 624->627 626->627
                                                                                                              APIs
                                                                                                              • CreateNamedPipeW.KERNEL32(00000000,?,?,?,?,?,00000001,00000004), ref: 050F1A64
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID: 4L]q
                                                                                                              • API String ID: 2489174969-261793533
                                                                                                              • Opcode ID: 681415f2eaa51524add37de79651b8d9da4c865b049c38ac7a4fbcf8d17d01d7
                                                                                                              • Instruction ID: dcc67a2ba3bd57377348736a41520464f07a7406344f83bf423ac6a6260bf219
                                                                                                              • Opcode Fuzzy Hash: 681415f2eaa51524add37de79651b8d9da4c865b049c38ac7a4fbcf8d17d01d7
                                                                                                              • Instruction Fuzzy Hash: A33122B2800348DFCB10CF9AD588A8EBFF5BF48314F148059E959AB221D379A555CF60
                                                                                                              Function 04A4FBFC Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 707 4a4fbfc-4a4fc43 710 4a4fc45-4a4fc4e 707->710 711 4a4fc51-4a4fcf5 707->711 718 4a4fcf7-4a4fd25 711->718 719 4a4fd28-4a4fd34 711->719 718->719 720 4a4fd36-4a4fd67 719->720 721 4a4fd69-4a4fd7d 719->721 720->721 754 4a4fd7f call f9ff40 721->754 755 4a4fd7f call f9ff30 721->755 726 4a4fd85-4a4fd8c 728 4a4fda7-4a4fdc9 call 4a4f830 726->728 729 4a4fd8e-4a4fda5 726->729 752 4a4fdcb call 50f0cb9 728->752 753 4a4fdcb call 50f0cc0 728->753 729->728 738 4a4fdd1-4a4fe0e 740 4a4fe10-4a4fe33 738->740 741 4a4fe6b-4a4fe7e 738->741 745 4a4fe35-4a4fe3c 740->745 746 4a4fe80 740->746 742 4a4fe85 741->742 745->746 747 4a4fe3e-4a4fe4c 745->747 746->742 749 4a4fe4e-4a4fe53 747->749 750 4a4fe5a-4a4fe69 747->750 749->750 750->740 750->741 752->738 753->738 754->726 755->726
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fbq$ fbq
                                                                                                              • API String ID: 0-113993086
                                                                                                              • Opcode ID: da97505f30ad7ebcf1421ba813457cb2e0472aa125cd6f898ded746135185280
                                                                                                              • Instruction ID: d461556ecd62c60adf7b66dcf74ee20e805633a4e987be7d7c88496911da2cd5
                                                                                                              • Opcode Fuzzy Hash: da97505f30ad7ebcf1421ba813457cb2e0472aa125cd6f898ded746135185280
                                                                                                              • Instruction Fuzzy Hash: 5F71CF31F003099FDB099FA9D85069FBBB6FFC5304F14856AE505AB341EB71A94A8B81
                                                                                                              Function 03901238 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 813 3901238-3901257 814 3901488-39014ad 813->814 815 390125d-3901266 813->815 818 39014b4-39014e9 814->818 815->818 819 390126c-39012d0 815->819 835 390147a-390147c 818->835 830 39012d2-39012f7 819->830 831 39012fa-3901303 819->831 830->831 833 3901305 831->833 834 3901308-390131e call 39014f3 831->834 833->834 837 3901324-3901326 834->837 839 3901383-3901390 837->839 840 3901328-390132d 837->840 844 3901392-390139b 839->844 845 390139d 839->845 841 3901369-390137c 840->841 842 390132f-3901364 840->842 841->839 853 3901428-390143c 842->853 848 39013a2-39013a4 844->848 845->848 849 39013a6-39013d2 848->849 850 39013d9-3901421 848->850 849->850 850->853 858 3901446-390144b 853->858 859 390143e 853->859 861 3901455-390145a 858->861 862 390144d 858->862 859->858 864 390145c-390146a call 3900dbc call 3900dd4 861->864 865 390146f-3901470 861->865 862->861 864->865 865->835
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (&]q$(aq
                                                                                                              • API String ID: 0-1602648543
                                                                                                              • Opcode ID: 58b9b4f9f96e8cde7132280e90548d81440dba6a7a5b67ebce23e09d0657d08f
                                                                                                              • Instruction ID: 2647148bdedd5c7b18c4a23c886439a7e5f8badb6c7669874afb509f88dc6191
                                                                                                              • Opcode Fuzzy Hash: 58b9b4f9f96e8cde7132280e90548d81440dba6a7a5b67ebce23e09d0657d08f
                                                                                                              • Instruction Fuzzy Hash: 42619035F002198FDB18EBB9C4906EEBAA6AFC4740F148529D406BB3C4DF74AE468791
                                                                                                              Function 04A442F0 Relevance: 1.8, Strings: 1, Instructions: 563COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0u
                                                                                                              • API String ID: 0-3203441087
                                                                                                              • Opcode ID: 16e257183e719e631973944cddc9a7e4723cb14e0e6a27c73baef629d2adf4c0
                                                                                                              • Instruction ID: 55e8d5562bdae489789c676aac76f680fbef3ab67372f290e4ea13e143c6f905
                                                                                                              • Opcode Fuzzy Hash: 16e257183e719e631973944cddc9a7e4723cb14e0e6a27c73baef629d2adf4c0
                                                                                                              • Instruction Fuzzy Hash: C3426D74A00618CFDB64EF68D954A9DBBB6FF88310F1141D9E909AB365DB30AD85CF40
                                                                                                              Function 055D6490 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e7ac5c8cede6bd6109f5b12d52bf8ff1d89cdaab391d41909cf01b1f7350ad6c
                                                                                                              • Instruction ID: 18b6bc55fe41444b655be9ae8ed484b5bb17d564e63297e05b393fba5d7ec22c
                                                                                                              • Opcode Fuzzy Hash: e7ac5c8cede6bd6109f5b12d52bf8ff1d89cdaab391d41909cf01b1f7350ad6c
                                                                                                              • Instruction Fuzzy Hash: 56516972A006058FCB24DFADD884AAEFBF5FF88310F10892AD45AD3651D734E945CBA1
                                                                                                              Function 050F1898 Relevance: 1.6, APIs: 1, Instructions: 95processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 050F196F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcessUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217836671-0
                                                                                                              • Opcode ID: 8851cdae0e70998f557b37ee9bad189915e6bfb1e7d357c66feb86fc9fd859e7
                                                                                                              • Instruction ID: dd8c0f0c1076aa9401a5fb81f84db1699208fdfd07c926851c7a21ba9c18d0b5
                                                                                                              • Opcode Fuzzy Hash: 8851cdae0e70998f557b37ee9bad189915e6bfb1e7d357c66feb86fc9fd859e7
                                                                                                              • Instruction Fuzzy Hash: 12412276900249EFCF10CFA9D884ADEBBF6FF48310F14842AE959A7250D739A955CF90
                                                                                                              Function 050F204E Relevance: 1.6, APIs: 1, Instructions: 68pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ConnectNamedPipe.KERNEL32(00000000), ref: 050F20D0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: 4fc87c4ba787ce8688c58408fb90496605a12c07da56584e20851a52fbc0dd02
                                                                                                              • Instruction ID: d67a53c654a343d6277adb154965bb1e9903b6f4c375a2454b34c6853a343ac7
                                                                                                              • Opcode Fuzzy Hash: 4fc87c4ba787ce8688c58408fb90496605a12c07da56584e20851a52fbc0dd02
                                                                                                              • Instruction Fuzzy Hash: 042132B0C002599FCB24CFAAD884A9EBBF5BF08300F148069E949AB240DB349841CFA0
                                                                                                              Function 03901A00 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: 347408f77bb1bf22643b3c98f1565423853c21d874b7ec30a8be212de8db09f4
                                                                                                              • Instruction ID: 0fd124a2256277fdf79faa05a5c03f6b4b97bded37da37a528fa663107995310
                                                                                                              • Opcode Fuzzy Hash: 347408f77bb1bf22643b3c98f1565423853c21d874b7ec30a8be212de8db09f4
                                                                                                              • Instruction Fuzzy Hash: 77D17075A00715DFCB04DF68D984A9AB7BAFF49310B118699E909AB365DB30FC85CF80
                                                                                                              Function 050F2058 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ConnectNamedPipe.KERNEL32(00000000), ref: 050F20D0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: 6674b251fc15f76db48881ce1ec9bf8e8cae8cfdd87ad942120c5b07f5bf8a51
                                                                                                              • Instruction ID: 1ecc529c68e35576e92adb810d29106432dc9b9dfc593405799cd39bff785a65
                                                                                                              • Opcode Fuzzy Hash: 6674b251fc15f76db48881ce1ec9bf8e8cae8cfdd87ad942120c5b07f5bf8a51
                                                                                                              • Instruction Fuzzy Hash: 602115B5D002199FCB24DF9AD884B9EBBF5BF08300F148059E919B7340DB759945CFA0
                                                                                                              Function 055D5F3C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 055D6645
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumProcesses
                                                                                                              • String ID:
                                                                                                              • API String ID: 84517404-0
                                                                                                              • Opcode ID: 4459aa1014d25e36a18e92fec435f9fbee220adf04a1ab70fe3247d403619b73
                                                                                                              • Instruction ID: 9a8822d651c644c90a2cdddab18137a896a3d34689f45423f85d7a83e73c97cc
                                                                                                              • Opcode Fuzzy Hash: 4459aa1014d25e36a18e92fec435f9fbee220adf04a1ab70fe3247d403619b73
                                                                                                              • Instruction Fuzzy Hash: AC2128B29042099FDB10CF9AD885BDEFBF4FB48310F50842DD519A7340C739A945CBA4
                                                                                                              Function 050F2441 Relevance: 1.6, APIs: 1, Instructions: 58pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitNamedPipeW.KERNEL32(00000000), ref: 050F24AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NamedPipeWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3146367894-0
                                                                                                              • Opcode ID: b8c31f0802996f8376eca9bc7dcafc77fcb03dd33fec41fbe13aa8d378b68c6a
                                                                                                              • Instruction ID: ec7c017b6fb31bf3cd74eb31337f1dc2c3fe23e17c35fd874aa4f96c66fd614f
                                                                                                              • Opcode Fuzzy Hash: b8c31f0802996f8376eca9bc7dcafc77fcb03dd33fec41fbe13aa8d378b68c6a
                                                                                                              • Instruction Fuzzy Hash: 3F2124B680020A8FCB10DF9AD844AEEFBF4FF89324F15846DD919A7640C779A545CFA1
                                                                                                              Function 050F2448 Relevance: 1.6, APIs: 1, Instructions: 56pipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitNamedPipeW.KERNEL32(00000000), ref: 050F24AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3974619604.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_50f0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NamedPipeWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3146367894-0
                                                                                                              • Opcode ID: 3758cbf27f04c93c284e8d221d95d7004c285cf6232d8a1c304e395f6121254e
                                                                                                              • Instruction ID: 1f51b84aef082c6c2f9ef4c4531e5635139a55e98b8669c7102f60be26f464ca
                                                                                                              • Opcode Fuzzy Hash: 3758cbf27f04c93c284e8d221d95d7004c285cf6232d8a1c304e395f6121254e
                                                                                                              • Instruction Fuzzy Hash: 682106B68002098FCB10DF9AD844AEEBBF4FB48324F14842DD959A7640C779A545CFA1
                                                                                                              Function 055D5F30 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 055D671E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessSession
                                                                                                              • String ID:
                                                                                                              • API String ID: 3779259828-0
                                                                                                              • Opcode ID: 403884cc2a2a2cdc5de10670c2ff85b616a9656b2e09f0d76d588ecc25a01c4c
                                                                                                              • Instruction ID: bfa352f088f01ade6143712eeedf16b1c23f7b958c58d554a2a5be42f56bdafd
                                                                                                              • Opcode Fuzzy Hash: 403884cc2a2a2cdc5de10670c2ff85b616a9656b2e09f0d76d588ecc25a01c4c
                                                                                                              • Instruction Fuzzy Hash: 6D1100B2C002498FCB20DF9AC444BAEFBF4FB48324F10846AD559A7240D779A945CFA5
                                                                                                              Function 055D66B9 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 055D671E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3975823669.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_55d0000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProcessSession
                                                                                                              • String ID:
                                                                                                              • API String ID: 3779259828-0
                                                                                                              • Opcode ID: 24450d4934c72d54bd7ba48423b43f104a3b142b6ea20ce535da32e94b900849
                                                                                                              • Instruction ID: 5ba83dcf2e3bed14063697189682fc9c1a23d731f7cb7e3588e5105715d5eeee
                                                                                                              • Opcode Fuzzy Hash: 24450d4934c72d54bd7ba48423b43f104a3b142b6ea20ce535da32e94b900849
                                                                                                              • Instruction Fuzzy Hash: 5E1100B2C002098FCB20DF9AD985BEEFBF4FB48324F14842AD458A7240C778A545CFA1
                                                                                                              Function 04A40E48 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: fe276eb7d29981c699b34589200aebb7a205f7cfb57829a7629173073a376c8d
                                                                                                              • Instruction ID: b042f35469be76b2bb93fff8a07796bc9ea0422182bacfcc1e0d81db624e3cba
                                                                                                              • Opcode Fuzzy Hash: fe276eb7d29981c699b34589200aebb7a205f7cfb57829a7629173073a376c8d
                                                                                                              • Instruction Fuzzy Hash: EFC13634700612CFC724CF19C5849AABBF2FFC8314B19C9A9E55A8B666D731F946CB90
                                                                                                              Function 03905608 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: c!
                                                                                                              • API String ID: 0-3867720870
                                                                                                              • Opcode ID: 5169b6e9870cc3ff01b3479cbbeac458848e8192031343a76a9dc1c91be33480
                                                                                                              • Instruction ID: a04a2b87abb9e6cf791b421f310e30d2c9c6a6a9ec9068f20e7da976ffc22324
                                                                                                              • Opcode Fuzzy Hash: 5169b6e9870cc3ff01b3479cbbeac458848e8192031343a76a9dc1c91be33480
                                                                                                              • Instruction Fuzzy Hash: 2BB16E30A002059FCB15EB68D94099EBBFAFF85310B568569E405DF365DF35EC0A8F81
                                                                                                              Function 04A4A8C9 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 0-3772416878
                                                                                                              • Opcode ID: 1516ca1a8b170285d1d88a75d9bffb2d4e60429cd110fa282e78c2d7110f4c58
                                                                                                              • Instruction ID: 1061514b2d046ae19b513ce6aeed06b00e7f2ab78002ce58ed111a4128599976
                                                                                                              • Opcode Fuzzy Hash: 1516ca1a8b170285d1d88a75d9bffb2d4e60429cd110fa282e78c2d7110f4c58
                                                                                                              • Instruction Fuzzy Hash: C5516A35B002148FCB14EB78D954AAEB7B6FFC8310B1584A9E906AB351DF35EC46CB90
                                                                                                              Function 04A4E3FE Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `Q]q
                                                                                                              • API String ID: 0-1594560043
                                                                                                              • Opcode ID: 4c10d2956ce3778ea478cbc26df63f4e35eee8b2bed933b7baa2ca9ed935344f
                                                                                                              • Instruction ID: 79270f799e2f46796cd5f812d36f84871d0e10113776f5405591bd9f4edde48b
                                                                                                              • Opcode Fuzzy Hash: 4c10d2956ce3778ea478cbc26df63f4e35eee8b2bed933b7baa2ca9ed935344f
                                                                                                              • Instruction Fuzzy Hash: 71418F30B002199BDB54AF69D8547AFBBB6FFC8310F144429D406EB390EE35A9068B92
                                                                                                              Function 04A4DD97 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Pj
                                                                                                              • API String ID: 0-2054447573
                                                                                                              • Opcode ID: 5af3858b10d865ebbc7cda0a92d20c4591807979cca5897377e56f7696892644
                                                                                                              • Instruction ID: 898dc4b850bb2ecab77551ca6d4d457571b458cf8043345ce0b52bf4469d19bd
                                                                                                              • Opcode Fuzzy Hash: 5af3858b10d865ebbc7cda0a92d20c4591807979cca5897377e56f7696892644
                                                                                                              • Instruction Fuzzy Hash: E341E374A002149FDB54DB68C988B9DB7B2FF89314F1481A9E949EB361CB31ED82CF50
                                                                                                              Function 04A4DD8E Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Pj
                                                                                                              • API String ID: 0-2054447573
                                                                                                              • Opcode ID: c60f1436e6bc994768794779c666e6aeda5b35b05da8ebcc75b974f2b9dc8b30
                                                                                                              • Instruction ID: 41a629b6e708364707bd93e11c5f604fffccfeb7027775809a826886501b46c2
                                                                                                              • Opcode Fuzzy Hash: c60f1436e6bc994768794779c666e6aeda5b35b05da8ebcc75b974f2b9dc8b30
                                                                                                              • Instruction Fuzzy Hash: CF41F274B002149FD754DB68C888B9DB7B2EF89314F1480A9E949EB361CB71ED85CF50
                                                                                                              Function 04A4A918 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,
                                                                                                              • API String ID: 0-3772416878
                                                                                                              • Opcode ID: 34ec80dc4383df81f5ad9db294107c0168813fafb3a249dd99f8fc289ef5f715
                                                                                                              • Instruction ID: ca26c825bf6ac4036dc672b196ed3102effcbdfcddcf687cc883512917495831
                                                                                                              • Opcode Fuzzy Hash: 34ec80dc4383df81f5ad9db294107c0168813fafb3a249dd99f8fc289ef5f715
                                                                                                              • Instruction Fuzzy Hash: D9218E39B002148FDB58EB74D95896E77BAEBC8714F1084BDE906E7395DE399C02CB81
                                                                                                              Function 04A45121 Relevance: .5, Instructions: 518COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 823921a7864ecb859ead709c743043d993934d5e7a36a0a1d06d3995bc40c1c3
                                                                                                              • Instruction ID: fcf6aa8bcbffaf32900a18d7a09605c117830a08fabb13bcddd2660aa84ed2f8
                                                                                                              • Opcode Fuzzy Hash: 823921a7864ecb859ead709c743043d993934d5e7a36a0a1d06d3995bc40c1c3
                                                                                                              • Instruction Fuzzy Hash: 01326974A00614CFDB54DF68D994A9DBBB6FF88310F118699E909AB361DB30EE85CF40
                                                                                                              Function 04A442E1 Relevance: .5, Instructions: 494COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4154eb39d102bdd909e675c9cf9fc997e851a3088ac2e63250acf054a4ab11c
                                                                                                              • Instruction ID: 1ce8a2fe7a61f6dab52a269ff7d6c508b9faf7213691dcd31321842797b89b88
                                                                                                              • Opcode Fuzzy Hash: a4154eb39d102bdd909e675c9cf9fc997e851a3088ac2e63250acf054a4ab11c
                                                                                                              • Instruction Fuzzy Hash: 99326B74A01614CFDB64DF68D994A9DBBB6FF88300F1181D9E909AB365DB30AE85CF40
                                                                                                              Function 04A4B317 Relevance: .4, Instructions: 378COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f507ba223adf3f2a53968c76d8e711614400fcec8885d93c5fbb83d52c8f2937
                                                                                                              • Instruction ID: faff3b70e256bfdc81f91bb41cc7e696dd617df86a682cc4d7ef77666cfb1008
                                                                                                              • Opcode Fuzzy Hash: f507ba223adf3f2a53968c76d8e711614400fcec8885d93c5fbb83d52c8f2937
                                                                                                              • Instruction Fuzzy Hash: 81F14C74A002298FDB24DF24C990B9DBBB5FF89304F1081DAD909AB351EB75AE85CF51
                                                                                                              Function 04A40040 Relevance: .2, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b873de8e4ceed1e703957da20e1e07c0e3327dd150a9aa1dbc8d24d7cb3869b3
                                                                                                              • Instruction ID: 7b5bd1a324da175f435c5172f3f7d3b6fbc60d2beb57190ddd09af7ef003bcb9
                                                                                                              • Opcode Fuzzy Hash: b873de8e4ceed1e703957da20e1e07c0e3327dd150a9aa1dbc8d24d7cb3869b3
                                                                                                              • Instruction Fuzzy Hash: FE81D834B052059FDB04DFA8D484AAEB7B2FFCD314B148199E915AB365DB30EC02DB90
                                                                                                              Function 03903F48 Relevance: .2, Instructions: 213COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b1dc5d3277e952ec427d8ab016e34b2cc6103006074da72ad5519f1f714dbbd
                                                                                                              • Instruction ID: 28c363f53364bda746b72b6f78d3c455833ab8b8c674abcd7528af25ee87ea75
                                                                                                              • Opcode Fuzzy Hash: 1b1dc5d3277e952ec427d8ab016e34b2cc6103006074da72ad5519f1f714dbbd
                                                                                                              • Instruction Fuzzy Hash: EF717034B402054FCB04DBADC95196EFBFBEFC8210714856AE51ADB3A8DB74EC068B91
                                                                                                              Function 039069D8 Relevance: .2, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 061da936d7b197c5b3ba9a5f654a5ed846115bac6687be1d23c50dcb4fad360a
                                                                                                              • Instruction ID: a760d1b12bf323e1d44c9a3778f5d106cfe02a6dd5ced468aea03e59ab592ee5
                                                                                                              • Opcode Fuzzy Hash: 061da936d7b197c5b3ba9a5f654a5ed846115bac6687be1d23c50dcb4fad360a
                                                                                                              • Instruction Fuzzy Hash: E171D271B002059FCB14EF68D884A9EBBFAFF88310B1484A9E509DB361DB34EC05CB91
                                                                                                              Function 04A47B63 Relevance: .2, Instructions: 207COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e40c79cebb43163b1b840403c56506ae20566de8c1a5d151ff11bb5b44b1b6ea
                                                                                                              • Instruction ID: 54d4a8164b244bb2242b9e283c4b931be5aeb1e655d8977063395e005203e528
                                                                                                              • Opcode Fuzzy Hash: e40c79cebb43163b1b840403c56506ae20566de8c1a5d151ff11bb5b44b1b6ea
                                                                                                              • Instruction Fuzzy Hash: CDA1FA3590064ACFCB05DF68C590899BBB1FF89314B25C69AD819AF325E771FA46CF80
                                                                                                              Function 04A4E6F0 Relevance: .2, Instructions: 199COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 47fa6e43c0daddd21e96d93a01d1c9b7960ea92c38ec14f2d4485d2f5f211f6d
                                                                                                              • Instruction ID: be834fccc8b9342d836d7933ebe8eb15babcb03931f711726e9d182c29025091
                                                                                                              • Opcode Fuzzy Hash: 47fa6e43c0daddd21e96d93a01d1c9b7960ea92c38ec14f2d4485d2f5f211f6d
                                                                                                              • Instruction Fuzzy Hash: C4715070B002009BE714EB78D954AAE7BAAFFC4314B54856DD406DB395EF35EC0ACB81
                                                                                                              Function 04A42D70 Relevance: .2, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 232bbcf8c67b15bbb8f0d89e10d251c02959a1794da9408628c3182501582b1c
                                                                                                              • Instruction ID: 5d3d40617bee4767127e2fadf509177e816b434492c557e3e2e49341024ac476
                                                                                                              • Opcode Fuzzy Hash: 232bbcf8c67b15bbb8f0d89e10d251c02959a1794da9408628c3182501582b1c
                                                                                                              • Instruction Fuzzy Hash: A2617F70B002058FCB14DF69D994AAEBBBAFFC4300B108569E414DB365DB34EC46CB91
                                                                                                              Function 04A4E6E0 Relevance: .2, Instructions: 183COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3787c6b0d317eae1169c4711c4bdd4168a0ed5e539674335f759017de9adb756
                                                                                                              • Instruction ID: a31a1e94a5ae22498eac086fc932da7fcd56b20f6038c6d1dd638f1d1c6b78ab
                                                                                                              • Opcode Fuzzy Hash: 3787c6b0d317eae1169c4711c4bdd4168a0ed5e539674335f759017de9adb756
                                                                                                              • Instruction Fuzzy Hash: C5616171A003009FE714EB68D9546AEBBA6FFC4314F14856DD406EB394EF39E94ACB81
                                                                                                              Function 04A41DE8 Relevance: .2, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 96efc305c34c60a114d7ec54d1d7ef7fe012f3105e3e9b4229ed6bc3414bee82
                                                                                                              • Instruction ID: 1f4e0d33e1663a6e4098f6c9f63241b456eb89fa09f6b4468b200672fc822427
                                                                                                              • Opcode Fuzzy Hash: 96efc305c34c60a114d7ec54d1d7ef7fe012f3105e3e9b4229ed6bc3414bee82
                                                                                                              • Instruction Fuzzy Hash: 99513835B102058FDB10CFA9C498ABEF7F1EBC9365F10842AE81AE7350EB30E9418B51
                                                                                                              Function 04A4B88E Relevance: .2, Instructions: 165COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5110df8fe959b549013ac31951d6f2917797bbca638721cd45dfd056631a0597
                                                                                                              • Instruction ID: a9a8794f58f00a6c1cb27c99c912a0037fcf6d209c64a3f6852327bf98c61283
                                                                                                              • Opcode Fuzzy Hash: 5110df8fe959b549013ac31951d6f2917797bbca638721cd45dfd056631a0597
                                                                                                              • Instruction Fuzzy Hash: 8071E670E002298FDB68DF68D954BDDB7B6FB88304F0085A9E509E7354DB70AE858F90
                                                                                                              Function 04A43148 Relevance: .2, Instructions: 165COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 634946e01b4e7a67ce878cde06cf8deae3f3a65bf2f4ecdf5e0de1cf4cd31cf5
                                                                                                              • Instruction ID: fca761af9c40819e70181864249ae28dc7c3c47065d8a0fbf10611e28ab96e45
                                                                                                              • Opcode Fuzzy Hash: 634946e01b4e7a67ce878cde06cf8deae3f3a65bf2f4ecdf5e0de1cf4cd31cf5
                                                                                                              • Instruction Fuzzy Hash: 3461F570B10219AFDF14CF99D995EAEBBF1BFC4314F148069E801AB2A1DB74E9458F90
                                                                                                              Function 04A44BB4 Relevance: .2, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 111b71f1e4cd6e8e6467b26c25853ee46e534d08231ac3cb557b41dd421fc70f
                                                                                                              • Instruction ID: 078844d9b9cb995338231ba10b3675292c6c754398955e05862c26e1e500b300
                                                                                                              • Opcode Fuzzy Hash: 111b71f1e4cd6e8e6467b26c25853ee46e534d08231ac3cb557b41dd421fc70f
                                                                                                              • Instruction Fuzzy Hash: 1B615D70A016149FDB24DF68C949BADBBB2FFC9308F504098E509AB361DB34AE85CF40
                                                                                                              Function 03901230 Relevance: .2, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd47388ac44caec0a1ecfc2b91d0dce8ae551f54ee783b052b7b16cfae8339cd
                                                                                                              • Instruction ID: 9ed3b59235d047074a180925077544db2f4ca9086f891a9b5ea44509dd7f80d4
                                                                                                              • Opcode Fuzzy Hash: fd47388ac44caec0a1ecfc2b91d0dce8ae551f54ee783b052b7b16cfae8339cd
                                                                                                              • Instruction Fuzzy Hash: DC517F35E002098FDB14DFA5C8807DEFBF5EF88704F148129E415BB291DB74A946CB91
                                                                                                              Function 03905AA8 Relevance: .2, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 94127b34103e1852b8c2543f1bc981d9aef6edadff55d612ab1615da318e8436
                                                                                                              • Instruction ID: 1422b03d4eb53646f2a2e9247abdb76bc4a6ddabedebe68b38f4b120e8ef80a9
                                                                                                              • Opcode Fuzzy Hash: 94127b34103e1852b8c2543f1bc981d9aef6edadff55d612ab1615da318e8436
                                                                                                              • Instruction Fuzzy Hash: 2C51BE707043059FCB15EB78D850A6E76EEEFC6740B168569D016DB385EF74AC0ACB81
                                                                                                              Function 04A49838 Relevance: .1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fbc898ef725300715cdeb7e33695f63153c21745e629e3b3c09ca9b889b858a0
                                                                                                              • Instruction ID: daff84fea5694d83f2fc28cd750e1392ed1caa7a8d9717c306791ec262169313
                                                                                                              • Opcode Fuzzy Hash: fbc898ef725300715cdeb7e33695f63153c21745e629e3b3c09ca9b889b858a0
                                                                                                              • Instruction Fuzzy Hash: 28513874A006548FCB14DFA8C58099EBBF2BFC8300B558999E845AB3A6D735FC91CF90
                                                                                                              Function 03905A81 Relevance: .1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d96cb5ca29dd1596b0af19b4627b5fc9b4301458e11a8156d5d5ea004cb6ae4
                                                                                                              • Instruction ID: 318aaf4844a7a2fb1e939232859ee916cd7058b0ea15e44b00617fb76ca56147
                                                                                                              • Opcode Fuzzy Hash: 7d96cb5ca29dd1596b0af19b4627b5fc9b4301458e11a8156d5d5ea004cb6ae4
                                                                                                              • Instruction Fuzzy Hash: 3351AD707443015FC716EB6898A0A2E77EAEFC6740B1A8569D005DF396EF74DC0ACB91
                                                                                                              Function 039048F0 Relevance: .1, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fc25d4a3468b1cbd18910fec1afd91ac2d5ae0230c77aca725d763356b7b4afb
                                                                                                              • Instruction ID: 0aa1a8fb85a343567749db2874284b9ca933972b98fdca33be3751055fd1cf37
                                                                                                              • Opcode Fuzzy Hash: fc25d4a3468b1cbd18910fec1afd91ac2d5ae0230c77aca725d763356b7b4afb
                                                                                                              • Instruction Fuzzy Hash: 95512D30700B058FCB24DF6AD88495AB7FAFF89350B148A69D596DB7A5E730E805CF90
                                                                                                              Function 04A41291 Relevance: .1, Instructions: 144COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10c856956b2d4151302c7da8ebf803702e97e438d13b13b9c37852d16a3dc98b
                                                                                                              • Instruction ID: ddc0c54c21b143cb4c485345006f3537fd69785468bebaa1958f40518547d905
                                                                                                              • Opcode Fuzzy Hash: 10c856956b2d4151302c7da8ebf803702e97e438d13b13b9c37852d16a3dc98b
                                                                                                              • Instruction Fuzzy Hash: B3518974A00606CFCB10CFA8C5C4AAABBF1FF89314F148669E555DB6A5E330F995CB90
                                                                                                              Function 04A42D63 Relevance: .1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1fa024008e379de0f4f1d6cbafd22c8a15b0978fa91c1098ac0325178cef9b41
                                                                                                              • Instruction ID: b31dd2bc762d80c850897b0808ccbcfa02ac85fd2596d0efd001b475217f97be
                                                                                                              • Opcode Fuzzy Hash: 1fa024008e379de0f4f1d6cbafd22c8a15b0978fa91c1098ac0325178cef9b41
                                                                                                              • Instruction Fuzzy Hash: 75516070B402068FDB04DF69D9909AEBBBAFFC4300B148669E405EB365DB34ED05CB91
                                                                                                              Function 03906598 Relevance: .1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03d98b26bd95f4b474a2776b5c60653042c8cdeb97ed43465387fb2f9d127298
                                                                                                              • Instruction ID: 4b01de50579030b75588dcad7e42bd5d33bd291b8489259702b78fd4b6b4c832
                                                                                                              • Opcode Fuzzy Hash: 03d98b26bd95f4b474a2776b5c60653042c8cdeb97ed43465387fb2f9d127298
                                                                                                              • Instruction Fuzzy Hash: 5441EA34600B018FC724DF29D85862AB7FAFF89355B144B6DD496CB7A5DB30E816CB80
                                                                                                              Function 0390685C Relevance: .1, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 039e867ede52f845c3784b9248cbadfc942c2b166124fef6aef15cc68c4e7c73
                                                                                                              • Instruction ID: f197e628b48839045fa01064c492a95b50295bcbb438bab36054a7141704a5fd
                                                                                                              • Opcode Fuzzy Hash: 039e867ede52f845c3784b9248cbadfc942c2b166124fef6aef15cc68c4e7c73
                                                                                                              • Instruction Fuzzy Hash: 5B41AE31A452598FCB15CB68CD64A9DBBB5EF89310F0D40A6C045EF7B2C778A845CBA1
                                                                                                              Function 03905F68 Relevance: .1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5367e3b1691da320d5766873541f1f35f380d7c6972e5d6b72039318fe5d371d
                                                                                                              • Instruction ID: 4a135a38d4815c3becef7a1c2b427ac06a143f66c3ccb98a196b692de51c7ea2
                                                                                                              • Opcode Fuzzy Hash: 5367e3b1691da320d5766873541f1f35f380d7c6972e5d6b72039318fe5d371d
                                                                                                              • Instruction Fuzzy Hash: 1E4150706407018FC720DF29D984A5ABBF6FF89350B148A59D486CB3A5DB31E846CF90
                                                                                                              Function 04A40E39 Relevance: .1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 14c072bc787de1db7cfd43e74f0549fb9e74655f7aadecbb53a836bf27d38861
                                                                                                              • Instruction ID: c1ae151198484c63a4a6bad08ca63f29d1f011000a74f6068e92fd9f6eee1a8b
                                                                                                              • Opcode Fuzzy Hash: 14c072bc787de1db7cfd43e74f0549fb9e74655f7aadecbb53a836bf27d38861
                                                                                                              • Instruction Fuzzy Hash: 53416434A00606CFCB10CF19C5849AABBF2FFC9310B19C9A9E6599B261D730F912CF90
                                                                                                              Function 04A49AB0 Relevance: .1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 97754bd470d2f2cb9b9b8c0cb2d9fda89571dcd5d62ba792502a85025ea3611e
                                                                                                              • Instruction ID: 6fbf1b3ceaa73747ebce9b3d36efbc8150f1f2fa1fa05d294782ab538e901e41
                                                                                                              • Opcode Fuzzy Hash: 97754bd470d2f2cb9b9b8c0cb2d9fda89571dcd5d62ba792502a85025ea3611e
                                                                                                              • Instruction Fuzzy Hash: 76418C31E006069BCB15DF68D9505DFBBFAEFD5304F258569D805AB224EBB1B90BCB80
                                                                                                              Function 04A42430 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0233c7af8f4b80befc05cc5bf584a8752b10a3762844c5c2398fde03474087e1
                                                                                                              • Instruction ID: 98699590609bbc47663c4e79e4dbc073d458484486ec5a00b1f3d66913ace955
                                                                                                              • Opcode Fuzzy Hash: 0233c7af8f4b80befc05cc5bf584a8752b10a3762844c5c2398fde03474087e1
                                                                                                              • Instruction Fuzzy Hash: FF418131E002199FDB149FA8C8946EEBBB2FFC9300F108169E515BB255DB756942CBA1
                                                                                                              Function 04A4ED48 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3eb7de40555c405dd779ce50cf1f5c035db90459c859bffe53de933aa90e3e9
                                                                                                              • Instruction ID: fa47467ba9d7a5d1f0669db64feb1bcb01b8ce6a81886169c45d50b2b59f85e3
                                                                                                              • Opcode Fuzzy Hash: d3eb7de40555c405dd779ce50cf1f5c035db90459c859bffe53de933aa90e3e9
                                                                                                              • Instruction Fuzzy Hash: 9941DA31600B059BD734CF69D95199BB7F6FFC4320B108A2ED466D7690EB70F9098B51
                                                                                                              Function 04A4FA88 Relevance: .1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ccda9086cccc58a9daf9e2e71a3dc74518344f86bac2b3969df33ae8bbafd82c
                                                                                                              • Instruction ID: 068588471d1b9b5dde460f5187680c21bbc62009ef1986fa3c416fab1a015c28
                                                                                                              • Opcode Fuzzy Hash: ccda9086cccc58a9daf9e2e71a3dc74518344f86bac2b3969df33ae8bbafd82c
                                                                                                              • Instruction Fuzzy Hash: 58419531A003089FEF149FB1C9647EE7BB6BFC9304F108529E505AB291EB75A946CB91
                                                                                                              Function 03904720 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 00915282145778f55773e3ef007edaabcdab7070ce8843cfa826bd78a688caf5
                                                                                                              • Instruction ID: da3ff6c8306c3d42bcb71f0a16fec6846f81234bbbd1872b0f0de12a94ae7f92
                                                                                                              • Opcode Fuzzy Hash: 00915282145778f55773e3ef007edaabcdab7070ce8843cfa826bd78a688caf5
                                                                                                              • Instruction Fuzzy Hash: 7D317034F106158FCB04DBADD5819AEFBEAEFC9210B10846AD50AE7399DB30ED058B91
                                                                                                              Function 04A4FA98 Relevance: .1, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b35c4ed079f75b0e065151d93bc2afeab548f487b5f0eab938c72f6920923d90
                                                                                                              • Instruction ID: 3a93b83474e65fbf584b6be2e808b501beb5078c7f7bd0b74933e4efc9d71e31
                                                                                                              • Opcode Fuzzy Hash: b35c4ed079f75b0e065151d93bc2afeab548f487b5f0eab938c72f6920923d90
                                                                                                              • Instruction Fuzzy Hash: 11316531B003089FEF14DFA5C9647EE7BB6BFC8704F108529E505AB291EB75A945CB90
                                                                                                              Function 04A44E15 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03b200ec1b2231f114789d237a34f50dae8de66dc1802a264faaa6bbe94a3f5d
                                                                                                              • Instruction ID: c64c9cb2391b9abee73d4cce9307365ed2fcf6a73741d1fc0a586e6d27c3a47d
                                                                                                              • Opcode Fuzzy Hash: 03b200ec1b2231f114789d237a34f50dae8de66dc1802a264faaa6bbe94a3f5d
                                                                                                              • Instruction Fuzzy Hash: 5E411A30A01214DFDB24DF69D999BAC77B2BFC9316F1042A9E5159B3A4DB35ED81CB00
                                                                                                              Function 03907398 Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d7313f44f7c2d23c274f304025f50e72561a8f2525a8e47fa4fab9d82359fb66
                                                                                                              • Instruction ID: 05828da2055b518bce485e9cbc7f76936f24187e68b4c35105ec59a8cb800057
                                                                                                              • Opcode Fuzzy Hash: d7313f44f7c2d23c274f304025f50e72561a8f2525a8e47fa4fab9d82359fb66
                                                                                                              • Instruction Fuzzy Hash: 2E4128347006068FCB14DF68D994D5ABBF6FF8931071585A9E45ACB3A5DB34EC05CB90
                                                                                                              Function 04A4C370 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0b8de76495ea1d8155514b0241a80987f248741fd048949f6b6d640439f0a59
                                                                                                              • Instruction ID: 51bb01ab1792bfcc61c34d4d5b02b279aad9a6a7d02b2837bb01ed611147ce16
                                                                                                              • Opcode Fuzzy Hash: a0b8de76495ea1d8155514b0241a80987f248741fd048949f6b6d640439f0a59
                                                                                                              • Instruction Fuzzy Hash: 8C31AD76A112059FCB24DF99C4946EDF7B2FBC8324F56806AC909AB355DB31F802CB90
                                                                                                              Function 039073A8 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9997ac542ac8e76859e2bbd307734643ac044ad2429c716b7888219cbc5e6e59
                                                                                                              • Instruction ID: 622bb8e68b3d3729be11990ee4515689571ca996c127e3b2827782c5225737f1
                                                                                                              • Opcode Fuzzy Hash: 9997ac542ac8e76859e2bbd307734643ac044ad2429c716b7888219cbc5e6e59
                                                                                                              • Instruction Fuzzy Hash: E83159347006068FCB14EFA8D994D1ABBFAFF8831071585A8E55ACB3A5DB30EC05CB90
                                                                                                              Function 04A4389D Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1219c5a10277719c8789009c782a2bbc7168de3f521f631e757bbfe86e8aaab
                                                                                                              • Instruction ID: e36c69ffa086f3da50e4b802a46e6f20c90d55d6eea69a1ca933b11db6cfd27d
                                                                                                              • Opcode Fuzzy Hash: c1219c5a10277719c8789009c782a2bbc7168de3f521f631e757bbfe86e8aaab
                                                                                                              • Instruction Fuzzy Hash: 8341F774B002098FDB04DFA8D594A9DBBF1AF88314F2480A9E805EB361DB75ED45CF61
                                                                                                              Function 04A4EBC8 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 72af48aba0869df5630879455054e17734e4cfe95da1d011ef16128f8c031c75
                                                                                                              • Instruction ID: fe236ef5d7b98f06e050380f6b783b409d3e0697a6de3e0b2dc5256da6faf817
                                                                                                              • Opcode Fuzzy Hash: 72af48aba0869df5630879455054e17734e4cfe95da1d011ef16128f8c031c75
                                                                                                              • Instruction Fuzzy Hash: 68314D346002058FCB18DF28D894A5B7BB5FFC9325B0482A5D815EF3A9DB31E812CBE1
                                                                                                              Function 03904B38 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4e39d83ae2b36537d9e7b1e65eb7bea6829743d4d08f5fb3e02a3e09dbecb9f3
                                                                                                              • Instruction ID: 816b66e3ea51679e31361091ad5377d3c331df96ffae2f957dfab296befe4d45
                                                                                                              • Opcode Fuzzy Hash: 4e39d83ae2b36537d9e7b1e65eb7bea6829743d4d08f5fb3e02a3e09dbecb9f3
                                                                                                              • Instruction Fuzzy Hash: 0131E430601B118FC734DF2AE84865ABBF9FF84751B144B2DD5A6866E0DB30E949CF91
                                                                                                              Function 04A4A7A1 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d0c37acae0acde4f82e287b2261ca4f49db131c78c55dc22554f9fd68aff9bb
                                                                                                              • Instruction ID: 86765c38cd3b830c51ac41bb9ade9b8bdee496686d8c9c7cf38b1184be4204bf
                                                                                                              • Opcode Fuzzy Hash: 7d0c37acae0acde4f82e287b2261ca4f49db131c78c55dc22554f9fd68aff9bb
                                                                                                              • Instruction Fuzzy Hash: 25316B71A002048FC714EFB8C5946AEBBF6FF88310B158569E509EB354DB35ED46CB90
                                                                                                              Function 04A425A0 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 517008374dd07b83bb7e6350244536eab4737196f95feb9fd10298bd26a6a15a
                                                                                                              • Instruction ID: a3bfca31f79c37fc5c15014fafe8bd6fc4d6fc941aab4ced0eafb13d2f98e57d
                                                                                                              • Opcode Fuzzy Hash: 517008374dd07b83bb7e6350244536eab4737196f95feb9fd10298bd26a6a15a
                                                                                                              • Instruction Fuzzy Hash: DA217130B452018FDF11DF68959066EFBF5EFC529470484AAE405CF36AEB74EC0687A2
                                                                                                              Function 03900007 Relevance: .1, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 885d5ec58fbe89ffced9ddd72276d6a3ba22e4242dcc8c9c790ff2e96bcb6e8a
                                                                                                              • Instruction ID: bc62490dbdac1d23208fbecd5f1d41d93793bfdcacbe55204fa509ab0529cfbe
                                                                                                              • Opcode Fuzzy Hash: 885d5ec58fbe89ffced9ddd72276d6a3ba22e4242dcc8c9c790ff2e96bcb6e8a
                                                                                                              • Instruction Fuzzy Hash: 5731E3306083449FCB02DBA8D89199EBFB9EF8731074444FAD145DF366DB34A809CBA2
                                                                                                              Function 04A45C79 Relevance: .1, Instructions: 82COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b806dec71e25fc7e2a00c01ded5d8b1476ee2a1d624638fd2b7b900c9372f1b5
                                                                                                              • Instruction ID: 095a224e93c8801680720b5655892d5ef424b148f64afc3771cc3b8ef7eed9d8
                                                                                                              • Opcode Fuzzy Hash: b806dec71e25fc7e2a00c01ded5d8b1476ee2a1d624638fd2b7b900c9372f1b5
                                                                                                              • Instruction Fuzzy Hash: 3D316231E0160AABDB10DFA4E8187EDBBB1FFC4310F24462AD515B7250EB706586CF81
                                                                                                              Function 04A49AC0 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e29e20094bcaa943a375823c3275b382cd8189c6d375f4d57d6471205d1ead46
                                                                                                              • Instruction ID: c0feaac19e27a461989142f15dbbba616f431fac8bb74b42adeb92db9394bad7
                                                                                                              • Opcode Fuzzy Hash: e29e20094bcaa943a375823c3275b382cd8189c6d375f4d57d6471205d1ead46
                                                                                                              • Instruction Fuzzy Hash: 0221BE31F006065BDB15DE69D85059FB7AAEFD5300F218529E805AB310EFB4BD1B8780
                                                                                                              Function 04A4E3BB Relevance: .1, Instructions: 76COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 83b19c64d034ad74f864eeec39b09bcb3039a1c17301770291b13fcba68f9717
                                                                                                              • Instruction ID: 804b7eb104f51ad8f424942e5812a775d203124e7c99870d6ca8c98dc9ae2604
                                                                                                              • Opcode Fuzzy Hash: 83b19c64d034ad74f864eeec39b09bcb3039a1c17301770291b13fcba68f9717
                                                                                                              • Instruction Fuzzy Hash: ED3102B6D00209AFDF10CFA9D884ADEBBF5FF88310F10841AE919A7250D735A955CFA1
                                                                                                              Function 008BD670 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3948247622.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_8bd000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 250c7590a9ef46465db6ac594906b43e9d3f774b345790e9f18f0e54fd7623e9
                                                                                                              • Instruction ID: 03b4681fe13604990e8bc9f378df47145539fa850d98baad580b1f6948db5634
                                                                                                              • Opcode Fuzzy Hash: 250c7590a9ef46465db6ac594906b43e9d3f774b345790e9f18f0e54fd7623e9
                                                                                                              • Instruction Fuzzy Hash: 82213375500344EFCB05DF14C9C0BA6BF65FBA8314F208169E8098B356D33AD806CAA1
                                                                                                              Function 04A45EA0 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: da22ff9690895ce9d29cfab4c1a5d6feba7fe47644d6acd641f4cf7414afcf6c
                                                                                                              • Instruction ID: 68bc51b180adf0d8995b109be5bfc6361807fdac63d4aeff852d90ae64c0da36
                                                                                                              • Opcode Fuzzy Hash: da22ff9690895ce9d29cfab4c1a5d6feba7fe47644d6acd641f4cf7414afcf6c
                                                                                                              • Instruction Fuzzy Hash: 4A316D30A006059FCF18DF28E98565A7BB5FFC4310F1042AAE9159F2E6EB30E951CFA1
                                                                                                              Function 04A4E3BC Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 15e48df8a8322bbfe4327be82e08829b568597a6a2aedf606fc13d1d523003af
                                                                                                              • Instruction ID: 0ac5a3feee7f93cb30b3ec4d8ba7642e377f3310cef52c72bf691ca08b3b696e
                                                                                                              • Opcode Fuzzy Hash: 15e48df8a8322bbfe4327be82e08829b568597a6a2aedf606fc13d1d523003af
                                                                                                              • Instruction Fuzzy Hash: 68310EB6900208AFCF10CF99D884ADEBBF5FF88310F10842AE919A7350D775A955CFA0
                                                                                                              Function 04A4AC40 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b138ebf6e43e95a00b01c1cde8e7206e934128dd3a7ab406bb9ce914e775d1a1
                                                                                                              • Instruction ID: 74febe110586496a7cfc12c6dd0e0dbe462c08b364377fd80caa1db7b9be41f7
                                                                                                              • Opcode Fuzzy Hash: b138ebf6e43e95a00b01c1cde8e7206e934128dd3a7ab406bb9ce914e775d1a1
                                                                                                              • Instruction Fuzzy Hash: 44212A30B402058BDB54CF99C555BAEBBF6AFC9354F14446AE406E73A0DBB1ED01CB90
                                                                                                              Function 04A48989 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b935b26bb672fb110200d96bce16bfd31a76fc93c9ed550c7b1c4959b64c094a
                                                                                                              • Instruction ID: 7452051f3aa8cf2a2fa34e66d0c76441595f57542f9bd4a5612bc48372b90505
                                                                                                              • Opcode Fuzzy Hash: b935b26bb672fb110200d96bce16bfd31a76fc93c9ed550c7b1c4959b64c094a
                                                                                                              • Instruction Fuzzy Hash: 06312974A102188FCB55DF68C854A9DB7F6FF89314F5181A9E409E7360DB31AE81CF50
                                                                                                              Function 04A4AC2E Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1283c82407d3e7d5d13bde7f9f3020441c962907bb7ad1bca89ffd2665884294
                                                                                                              • Instruction ID: 690e00489b780c105e89542afba68df4e0afc8f162442061fdf04414bc66a38c
                                                                                                              • Opcode Fuzzy Hash: 1283c82407d3e7d5d13bde7f9f3020441c962907bb7ad1bca89ffd2665884294
                                                                                                              • Instruction Fuzzy Hash: 5E214930B402058FDB04DFA8C555AAEBBF6EBC9354F14806AE406E7390DBB1EC02CB90
                                                                                                              Function 04A4EEA9 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5cc6ccc7b74c01cac4de873210f6a90419e0b2d74defd6fb0ebd04dcf99911b7
                                                                                                              • Instruction ID: c1d8341f30ffdd4949bd8d5b18d53a237bff0558b671fb5d71770c24040da6cb
                                                                                                              • Opcode Fuzzy Hash: 5cc6ccc7b74c01cac4de873210f6a90419e0b2d74defd6fb0ebd04dcf99911b7
                                                                                                              • Instruction Fuzzy Hash: 9D3100B6900209AFCF10CF99D884ACEBBF5FF88310F10841AE919A7250C735A955CFA0
                                                                                                              Function 03904710 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ed7f0764c6d90d762b19766abb27f0a07df11f1d2447013837a57284f236254e
                                                                                                              • Instruction ID: ed19bea5647a9e47a4be4c201295d8e21062277076b5cb37405e00b91fb3e159
                                                                                                              • Opcode Fuzzy Hash: ed7f0764c6d90d762b19766abb27f0a07df11f1d2447013837a57284f236254e
                                                                                                              • Instruction Fuzzy Hash: 14110831B006115FCB11D67D888196EBBEDEFC625474544AAD409DB3AAEB30EC06CBD2
                                                                                                              Function 039068A0 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a70d7ca6246d552615a1c4fb5c8eb1dec4c9ab5cbd8609cb92d68207af2c4a3f
                                                                                                              • Instruction ID: e7e13ab5aacce4165e7f7be6f3d593c19fe9d7b7a58f803cd1ae5ed321fd8bef
                                                                                                              • Opcode Fuzzy Hash: a70d7ca6246d552615a1c4fb5c8eb1dec4c9ab5cbd8609cb92d68207af2c4a3f
                                                                                                              • Instruction Fuzzy Hash: 2B214A31A402198FCF18DBA8D955AADFBF6FF89310F044469D156AB3B4DB74AC41CB90
                                                                                                              Function 03900C21 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c7289f38e73338d3d15cb862548c09609ea22731d6db7c9ec05657b469ad7c78
                                                                                                              • Instruction ID: 4db4a3cce02a23a2e7efed3da33295abb6a858a7425be0e34ac136b0716502fd
                                                                                                              • Opcode Fuzzy Hash: c7289f38e73338d3d15cb862548c09609ea22731d6db7c9ec05657b469ad7c78
                                                                                                              • Instruction Fuzzy Hash: E1215031D1070A9DCB00EFB9D8406EEFBB4EF99310F00CA6AD558A7111FB30A295C791
                                                                                                              Function 03903648 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6b1239c48d120adfd28f14a3c21338fded0ec427d94d3dc701966656ee44b301
                                                                                                              • Instruction ID: a2d467059c49ef75b44ad07544cfdd9a387a6da73867f22471eb46cf21382e0c
                                                                                                              • Opcode Fuzzy Hash: 6b1239c48d120adfd28f14a3c21338fded0ec427d94d3dc701966656ee44b301
                                                                                                              • Instruction Fuzzy Hash: 0621A7302447016FC719EB28EC41E9DBBAAFF84310F008A78E4458B75ADB75A91ECBD1
                                                                                                              Function 04A4C380 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c2404a2a33844b55c8e9df1474a94cfa788977a1fa8193b7be582327a850ddc5
                                                                                                              • Instruction ID: a6345fe2acfa1bb3453b37e65a11907fb7c172fd5c6f4ee367c966d188eaeb23
                                                                                                              • Opcode Fuzzy Hash: c2404a2a33844b55c8e9df1474a94cfa788977a1fa8193b7be582327a850ddc5
                                                                                                              • Instruction Fuzzy Hash: D4217A316012019FCB24DF58C194A9DBBB2BFC8320F5684A9D849AB359DB31FC02CB90
                                                                                                              Function 03901730 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6582416b0872e7e50fd35abf3b7fa726b4be552d007c3fd448ff457b683a624e
                                                                                                              • Instruction ID: 3fa8db540f7099481d09497625dc754fd6f4cc8f9042687141f9a8207170b192
                                                                                                              • Opcode Fuzzy Hash: 6582416b0872e7e50fd35abf3b7fa726b4be552d007c3fd448ff457b683a624e
                                                                                                              • Instruction Fuzzy Hash: B32128B6800249DFCF10CF9AC884ADEBBF5FF88310F148519E915A7250D739A555CFA1
                                                                                                              Function 04A47A28 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 66017619cc90028658e633e2f7a7e54538b44b451c925de0459e0d6058dee290
                                                                                                              • Instruction ID: de927a1b2d8a0fc522b81dd8325574db9c75700dbe6896f8126da78de216aca5
                                                                                                              • Opcode Fuzzy Hash: 66017619cc90028658e633e2f7a7e54538b44b451c925de0459e0d6058dee290
                                                                                                              • Instruction Fuzzy Hash: 91119D36E10B1AA9CB00ABB8D8405EEF374EFD5310F00CB2AE94577100FB70A6958781
                                                                                                              Function 03903E62 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 317a85217440923aa168f8d4261ce2b1541a757d0f994b89798a99443c6fa6f6
                                                                                                              • Instruction ID: a8f92e714a0c23f34d52f13bb948d7c05d706227dd2c222badfed9f99a5d68f4
                                                                                                              • Opcode Fuzzy Hash: 317a85217440923aa168f8d4261ce2b1541a757d0f994b89798a99443c6fa6f6
                                                                                                              • Instruction Fuzzy Hash: 6621A774E4020A9FCB04EFA8D8A4DAEBBB5FF85300F008968E545EB354DB34A905CF91
                                                                                                              Function 04A4BC68 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bf92aab5f3fe63d0c327d77aaa0a5af5d570c660ce9549e092960876b1c4a02b
                                                                                                              • Instruction ID: 4f45229a86e1c9c0b420c1f47d5fc701fab100cd75492faeeabc29530be0fef5
                                                                                                              • Opcode Fuzzy Hash: bf92aab5f3fe63d0c327d77aaa0a5af5d570c660ce9549e092960876b1c4a02b
                                                                                                              • Instruction Fuzzy Hash: 1C114C71A04516DF9B05DF69C8408AABBF5FF8D320710866AE439D72A0EB30E905CB60
                                                                                                              Function 04A4F440 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d69fd1c36fed9d3387cc644850541ee7e89aa06f42127c90c212e95b8e9e580
                                                                                                              • Instruction ID: a31ca50af204fb88776b6f31201b3423d80853982c8d5afae38f39c6244b6671
                                                                                                              • Opcode Fuzzy Hash: 6d69fd1c36fed9d3387cc644850541ee7e89aa06f42127c90c212e95b8e9e580
                                                                                                              • Instruction Fuzzy Hash: DE11D5717403456FE714DB18EC41A9B7BA9FFC4308B10852DE5019B351DFB2E90A8B80
                                                                                                              Function 03901738 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c0cf198d849745f01c7e956107fe6344e610e1e198159f26fbb02d76e1d91855
                                                                                                              • Instruction ID: 6ec68a515d485ad5d12325bfb959e3aa3209b603970acc547683680f6e996284
                                                                                                              • Opcode Fuzzy Hash: c0cf198d849745f01c7e956107fe6344e610e1e198159f26fbb02d76e1d91855
                                                                                                              • Instruction Fuzzy Hash: AF2115B68002499FCF10DF9AC844ADEFBF6FF88310F14841AE918A7250D739A555CFA1
                                                                                                              Function 03901930 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cdf03e8a9bfcc6a1db098a5959fc66a469b9101866d636f881bad174e12a82d6
                                                                                                              • Instruction ID: fec0210d639df6db2bdc5767491e328a4b66c5f3a203d7185b7cbc7c031d374f
                                                                                                              • Opcode Fuzzy Hash: cdf03e8a9bfcc6a1db098a5959fc66a469b9101866d636f881bad174e12a82d6
                                                                                                              • Instruction Fuzzy Hash: 9111AD763401108FC714DB2DF8909AEB7AAFFC932031985AAE50AC7351CA32DC17CB60
                                                                                                              Function 04A43039 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9da25d863a4177eff1b266bd84d3c5e543d92e1ee893e5d249e0ed73d1a2beb
                                                                                                              • Instruction ID: 23de44ae1681602af48887f3f0872375c401dc967b49dd24f0ebdb13184ea081
                                                                                                              • Opcode Fuzzy Hash: c9da25d863a4177eff1b266bd84d3c5e543d92e1ee893e5d249e0ed73d1a2beb
                                                                                                              • Instruction Fuzzy Hash: 75219A753406108FC7249B28D994A5A7BA6FFC8710F1548ADE9468B3A5CA35EC4ACF80
                                                                                                              Function 03900040 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f0f3c11d95377bef22a787c164e4881268b8ee24f4b865f2ca62810e0f83775
                                                                                                              • Instruction ID: 418be8065ef899a7a8109456df815579cd6c6f3109868dac764a0cc46fbaa53f
                                                                                                              • Opcode Fuzzy Hash: 0f0f3c11d95377bef22a787c164e4881268b8ee24f4b865f2ca62810e0f83775
                                                                                                              • Instruction Fuzzy Hash: B7118131B002059FCB00EBACD9819AEBBB9FF85710B408579E519EB315EB35E9098B91
                                                                                                              Function 04A43A39 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8a8e93916b84f4085a92be30541059298a0a0f13b91baae98bf6c0c0c683fdac
                                                                                                              • Instruction ID: 56560a759657f9a95b9e18c323210d220872b1d2ba58c8ef6a37141ac43f8ef7
                                                                                                              • Opcode Fuzzy Hash: 8a8e93916b84f4085a92be30541059298a0a0f13b91baae98bf6c0c0c683fdac
                                                                                                              • Instruction Fuzzy Hash: E611FC34B412199FDB04DF68C995A9DBBF2BFC8300F158469D806EB3A5DB75AD02CB90
                                                                                                              Function 04A4F520 Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7db9f995fb0e38aa0e8ea06cebdd56036b384cef5f7b26f3d88c79c66910a8e
                                                                                                              • Instruction ID: ef4ec96d8eec8b817aec2b6cbbef0d30c5ba88bc0005a1bacb0d842728c482c2
                                                                                                              • Opcode Fuzzy Hash: a7db9f995fb0e38aa0e8ea06cebdd56036b384cef5f7b26f3d88c79c66910a8e
                                                                                                              • Instruction Fuzzy Hash: 6E1130326042096F9705DFA9ED4099FBBAAFFC4254714852AF519DB320EB32E916CBD0
                                                                                                              Function 04A43048 Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 26706a36b41a953316597c0e284869ac5cc80e7226817032104ff1af9e5b87eb
                                                                                                              • Instruction ID: c637805310487137b2a744a09e47593349b9cdb01264852c7693fb1900c64fba
                                                                                                              • Opcode Fuzzy Hash: 26706a36b41a953316597c0e284869ac5cc80e7226817032104ff1af9e5b87eb
                                                                                                              • Instruction Fuzzy Hash: F6116A753406108FD728EB28D954E1A77EAFFC8711B1148ADE9068B3A4CB39FC49CB80
                                                                                                              Function 03903E70 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f7e652b9f2cf8b0d5c14b8116cc1f468309972232de12d8558eb8e52561a5ab8
                                                                                                              • Instruction ID: d826cf43384d16fdce3af900295d139d981776144d7e4f080eb5db70fdf80833
                                                                                                              • Opcode Fuzzy Hash: f7e652b9f2cf8b0d5c14b8116cc1f468309972232de12d8558eb8e52561a5ab8
                                                                                                              • Instruction Fuzzy Hash: 44214574E042099FCB04EFA8D964D6EBBB9FF85300F104D68E545A7354DB30A905CB91
                                                                                                              Function 008BD66B Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3948247622.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_8bd000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                              • Instruction ID: 853e8b759834960a53b9892ca43ac9e4c741b79a3b21bfc0af9bfb7f9a80e1f2
                                                                                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                              • Instruction Fuzzy Hash: FC11B476504380DFCB16CF10D5C4B56BF71FB98314F24C5A9D9094B256C336D856CBA1
                                                                                                              Function 03900AD0 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 30eae446060b2cefb3cab55ee330913c984cd9bd61f1da5ecc231ca688c6a770
                                                                                                              • Instruction ID: f26c8ee43270b46f09f5692e3fd14029e69144b75ca54b0ed0bbf048c0494825
                                                                                                              • Opcode Fuzzy Hash: 30eae446060b2cefb3cab55ee330913c984cd9bd61f1da5ecc231ca688c6a770
                                                                                                              • Instruction Fuzzy Hash: 5B118BB1E04206CFCF44DFA89855BADBBB4EB44325F24869AD025E73E1D73082418F94
                                                                                                              Function 04A43A48 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ec01eacc6bcaf692f2cf6e7dbeb4206cfb120d95a04acd8a33ce7cfc148a6d4a
                                                                                                              • Instruction ID: 82ad55a6b1a7e69612b34dfad44b0caf3c1702f61f670be644db0df21e80f8c1
                                                                                                              • Opcode Fuzzy Hash: ec01eacc6bcaf692f2cf6e7dbeb4206cfb120d95a04acd8a33ce7cfc148a6d4a
                                                                                                              • Instruction Fuzzy Hash: 9911DD34B402199FDB04DB58C955A9DBBF6AFCC300F158469D805EB3A5DB76ED01CB90
                                                                                                              Function 04A4E630 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c74b0c7b62bfa907880403d7a8fd61c10243a0ca5f72b79aaa019007d2b6c5dd
                                                                                                              • Instruction ID: 6af6de8d938e36a8712ad360f0bdfae00875fa8a3b797dc3262b3827b80bbf4d
                                                                                                              • Opcode Fuzzy Hash: c74b0c7b62bfa907880403d7a8fd61c10243a0ca5f72b79aaa019007d2b6c5dd
                                                                                                              • Instruction Fuzzy Hash: B11100B1C002098FCB10DF9AC444ADEFBF4FB88324F10842AD418A7241D778A985CFA1
                                                                                                              Function 039018A0 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 77b8017582e831c1378ec554479fc75fa35e4b768e2dc1838204358d63f706fc
                                                                                                              • Instruction ID: c48da09ce3be1faa7276853dd92ec7e42f00cda25d32eb2e831e0a50f489325d
                                                                                                              • Opcode Fuzzy Hash: 77b8017582e831c1378ec554479fc75fa35e4b768e2dc1838204358d63f706fc
                                                                                                              • Instruction Fuzzy Hash: 8601F5312493809FC7139729BCA0546BF7DDE4731070954EBD584CB367DA289D0DC7A2
                                                                                                              Function 04A437F8 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7de2198d51c1b3bd917136318a2e91d092380bdd716c32088901689d266efef7
                                                                                                              • Instruction ID: 04e7fe6a725af31244ca74f7c42fa2b719c56ba80a302065e747e5a38406fad0
                                                                                                              • Opcode Fuzzy Hash: 7de2198d51c1b3bd917136318a2e91d092380bdd716c32088901689d266efef7
                                                                                                              • Instruction Fuzzy Hash: 7211C275A00604DFCB04DFA8D588A9DBBF1EF8C325F1481AAE806AB360D730E945CF50
                                                                                                              Function 039041EA Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0a659f71e6305157f2d540c129736234cf1bab7be146863f5c49c2e23eea0623
                                                                                                              • Instruction ID: c08b601d922bbcfd2d16a169609a4f00158f92899514213706a481ab22f2895b
                                                                                                              • Opcode Fuzzy Hash: 0a659f71e6305157f2d540c129736234cf1bab7be146863f5c49c2e23eea0623
                                                                                                              • Instruction Fuzzy Hash: D0012431B442068FCB54DBAAEC804EE7BFAEBE8210704417AC106C7799EE74C8068BC1
                                                                                                              Function 03906EE8 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7530db4dfd95409fc0e5e7896519a306422adf41cb16ef51e272ad53a886eeb8
                                                                                                              • Instruction ID: d9d8143911797e26677a59208d4ec2d5e362711be019540043a56f063c094781
                                                                                                              • Opcode Fuzzy Hash: 7530db4dfd95409fc0e5e7896519a306422adf41cb16ef51e272ad53a886eeb8
                                                                                                              • Instruction Fuzzy Hash: 0A0152357057118F8721DB5AC49491ABBEAFF8C75431840A9EA5ADB765CF20EC12CBD0
                                                                                                              Function 04A4E638 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92095a11ea140e7f158742ee704cbad05503d6fa4a63864586f273ec6da81a5c
                                                                                                              • Instruction ID: e0e2c9dc928431dd98c50719f741d21c10d7c95c7b99e772c6ca35ae84c88ae8
                                                                                                              • Opcode Fuzzy Hash: 92095a11ea140e7f158742ee704cbad05503d6fa4a63864586f273ec6da81a5c
                                                                                                              • Instruction Fuzzy Hash: 9C11D0B18002498FDB10DF9AC444A9EFBF4FB89324F14842AD458A7240D779A945CFA5
                                                                                                              Function 03906730 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0e35ba7321b2971d3d0aa28acd0cf71d4a7909d4ead8ba4996e33710ef289a37
                                                                                                              • Instruction ID: e2f5588de2fe29846fbb630ff66dc52ed480023f557cd0edbc7fca94c39339e5
                                                                                                              • Opcode Fuzzy Hash: 0e35ba7321b2971d3d0aa28acd0cf71d4a7909d4ead8ba4996e33710ef289a37
                                                                                                              • Instruction Fuzzy Hash: F201B5B6B0121A9FCB11CAACD8419EFBBB9EFC4211F048177D804D7244E7309915CBE1
                                                                                                              Function 03906B98 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b2b82d6919cf890a63d9f113d9a1c8538cbe04ae3a849df858e1f75c5415e6a8
                                                                                                              • Instruction ID: 7cae12381cadd67746c2bf00dcac936cad0c24ba2dcaa7b0bca4843754e075d1
                                                                                                              • Opcode Fuzzy Hash: b2b82d6919cf890a63d9f113d9a1c8538cbe04ae3a849df858e1f75c5415e6a8
                                                                                                              • Instruction Fuzzy Hash: 85017C313047046BC705FB69A856D5FB6DAEFC42607908939E10ACB359DF35ED0A8792
                                                                                                              Function 04A45DB0 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: df734ce76c642c2309dbdb936017997fa0369265a670b4e763de6ec387f428a7
                                                                                                              • Instruction ID: 6b2f1c15e5186d2ff33811d196e105c16675e72033bd463fe2f770a083610ffd
                                                                                                              • Opcode Fuzzy Hash: df734ce76c642c2309dbdb936017997fa0369265a670b4e763de6ec387f428a7
                                                                                                              • Instruction Fuzzy Hash: 30017174B10111AFE714CF65CC89D7FB7FAEBC9210714852DA406D7354D670AD028A60
                                                                                                              Function 04A45DC0 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b3f9ddceba9fd9eefb305ca306dfc427bf191895786f621729a78e7d50c3a508
                                                                                                              • Instruction ID: 4149a6377bc90611e5bb972e9dc9e3f86940325963709b98883e5b192afd8e0b
                                                                                                              • Opcode Fuzzy Hash: b3f9ddceba9fd9eefb305ca306dfc427bf191895786f621729a78e7d50c3a508
                                                                                                              • Instruction Fuzzy Hash: 5F014B75B10115AFAB14DF6ACC498BFF7FEEBC9211714852AE906D7210E630AD018AA0
                                                                                                              Function 03904210 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c1584466c892a34f2a1d9b5a36e08d58617e98e97d83982f34a3022c4aa94b1
                                                                                                              • Instruction ID: 51089d7c52a75987041b7b0881640a74d35cbc6c32533591956d7b61488d3b09
                                                                                                              • Opcode Fuzzy Hash: 1c1584466c892a34f2a1d9b5a36e08d58617e98e97d83982f34a3022c4aa94b1
                                                                                                              • Instruction Fuzzy Hash: A601B130E082099FCF48EFA9E85049EBFB2EF99310B0485AAD109DB354DB345A16CF80
                                                                                                              Function 008BD006 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3948247622.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_8bd000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd783772eba9f2a4ba32b42054282214864633932fe678b1c6f4c99136c2c90e
                                                                                                              • Instruction ID: a35cf53a482ea2e5ce0350043675f3f6b50d4a564a140a8ef44628fbd4117246
                                                                                                              • Opcode Fuzzy Hash: dd783772eba9f2a4ba32b42054282214864633932fe678b1c6f4c99136c2c90e
                                                                                                              • Instruction Fuzzy Hash: 30016D71009380AFD7128B258884692BFA8EF53224F0984DBE988CF2A3D2695C45C772
                                                                                                              Function 04A42080 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7b70a06bde75d45f844fa3ab911653bdcd2e8ec95c2b2a4da80740c5dddf8755
                                                                                                              • Instruction ID: 01c8390b0671575ab5ffd2082b99a29d135329d3a725bd4c7e1df82f795e90bb
                                                                                                              • Opcode Fuzzy Hash: 7b70a06bde75d45f844fa3ab911653bdcd2e8ec95c2b2a4da80740c5dddf8755
                                                                                                              • Instruction Fuzzy Hash: 7B016D75E0020A8FCB40DFB8D85459EBBF4FF89310B11856AE449E3311EB34A906CB91
                                                                                                              Function 04A4E9C4 Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac6360a3ddcaeb700e9d1add3da8d0b0763329fb06d971eaf48db377fdf4cb23
                                                                                                              • Instruction ID: 363a5e547caaefd23ef0c20316d951c6b9e489421d93886759c8b01917e8e337
                                                                                                              • Opcode Fuzzy Hash: ac6360a3ddcaeb700e9d1add3da8d0b0763329fb06d971eaf48db377fdf4cb23
                                                                                                              • Instruction Fuzzy Hash: A001D4723042015FE301AB69A94048ABFA5FFC5264744857AD208CF221EE3AA806C791
                                                                                                              Function 039078B7 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fce7c6cad9872dd5c08b83cd5a917516a97eb6f2c4ee2840b7146e90967307cd
                                                                                                              • Instruction ID: 6ec257676fa0820b8fd6334bff1df27e424d7c7137b9dea1eae251937c0f8e67
                                                                                                              • Opcode Fuzzy Hash: fce7c6cad9872dd5c08b83cd5a917516a97eb6f2c4ee2840b7146e90967307cd
                                                                                                              • Instruction Fuzzy Hash: 2A01D43154E3859FC722CBA8D8956C87FB4EF42204B0905EAC444CB297D6245A0EDB52
                                                                                                              Function 008BD01D Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3948247622.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_8bd000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09c3b7770fd81f7ffe219366d75fd55d49f11e091ca5f684a66055cd98d175db
                                                                                                              • Instruction ID: 41b4f2a25f5e66ac74bc35c522d2989daf7dc6b7a08a80542d6fe8a29ab39299
                                                                                                              • Opcode Fuzzy Hash: 09c3b7770fd81f7ffe219366d75fd55d49f11e091ca5f684a66055cd98d175db
                                                                                                              • Instruction Fuzzy Hash: 9101F731005B04AAD720AA15C884BA7BF9CFF45324F18C429ED488B386D2799803CAB1
                                                                                                              Function 04A4ADA0 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87b6c0d220f74369d69da8d68ccb911e580b9af24d31f0a19c75ec4954fd1f1a
                                                                                                              • Instruction ID: 25218c185fe9f9cdda93db01ee3c836ebc6c8e6adc942f9de4be5c4d97019ce2
                                                                                                              • Opcode Fuzzy Hash: 87b6c0d220f74369d69da8d68ccb911e580b9af24d31f0a19c75ec4954fd1f1a
                                                                                                              • Instruction Fuzzy Hash: 7101D6316802159FDB349BB9D8407ED7FA6EFC0351F14416AD809CB359DAB65941CBC0
                                                                                                              Function 04A47E01 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 15ee53e6dc966e6d42321ebb6fdbf52f189ed3413f19def3fd6746bad5cf023e
                                                                                                              • Instruction ID: 81e6cc52b59f6d3bb2394ac9d33c2c6a7bafc13dd44568cbe4a4df24a275d680
                                                                                                              • Opcode Fuzzy Hash: 15ee53e6dc966e6d42321ebb6fdbf52f189ed3413f19def3fd6746bad5cf023e
                                                                                                              • Instruction Fuzzy Hash: FE019231D242188BDF11CFA9C8446DDFBB9EFC9310F1042AAD815B7254EB715A95CB90
                                                                                                              Function 04A4E56A Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cbaa031240cb86e5f95d12be0781f71ee8a6b7c3b7f1a4f02963583753914f1c
                                                                                                              • Instruction ID: 62c39412930c6cb5eed2091e103ed05b8cadce0674d1a1965be0973001097d51
                                                                                                              • Opcode Fuzzy Hash: cbaa031240cb86e5f95d12be0781f71ee8a6b7c3b7f1a4f02963583753914f1c
                                                                                                              • Instruction Fuzzy Hash: AB11CC71A04209CFEB14DFA5D858BAEBBB1BFCC305F148519D416A62A0EB74A441DF62
                                                                                                              Function 04A4F510 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12f200077d292ba832c2c9b2013d902e8e8ba7b2cd37d2c505a194a32d0bb8bf
                                                                                                              • Instruction ID: 25fc18a20ed618bd01d34563e48e7e23e8bca19b13ff2ab82c83f3b418ac4a25
                                                                                                              • Opcode Fuzzy Hash: 12f200077d292ba832c2c9b2013d902e8e8ba7b2cd37d2c505a194a32d0bb8bf
                                                                                                              • Instruction Fuzzy Hash: FB01A9322041096FCB01DFA4EC4099F7FE9FFC9254B04842AF915D7250DB31D916C790
                                                                                                              Function 04A4FE88 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9443c9d963c7e277cf43e95566a9b192b0af7f0f82f41f770683a9b4fc08f70
                                                                                                              • Instruction ID: fd97c4959272afe1fe1062ebcde1aca2cb8cdcf423d169515c52223230584c2d
                                                                                                              • Opcode Fuzzy Hash: c9443c9d963c7e277cf43e95566a9b192b0af7f0f82f41f770683a9b4fc08f70
                                                                                                              • Instruction Fuzzy Hash: 37016930B403018FDB24DBA4D9646AE7BB6FBC4304F618829E506DB394DE74A90ACF81
                                                                                                              Function 04A42090 Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1440900d38ede5628bb12c0cf1da0d733c1e63e085c4f18f8567ad5172574c90
                                                                                                              • Instruction ID: b66332e440998c33df309f2f0ec8ea1f369792b80ab4928b6a8a88fb63c85367
                                                                                                              • Opcode Fuzzy Hash: 1440900d38ede5628bb12c0cf1da0d733c1e63e085c4f18f8567ad5172574c90
                                                                                                              • Instruction Fuzzy Hash: 76011E71E0021A8FCB50DFADD84459EBBF5FF88210B118569D559F3301EB34A905CB90
                                                                                                              Function 03900A23 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bac4c15b4d8f946f05a907fdb64e20072e51e89e56ee6bb317c16be31f75893f
                                                                                                              • Instruction ID: d0b5a934d1d7c31dbe9ae7d0d33bd324d7ebcd6295726b0c49883af10a7c8f09
                                                                                                              • Opcode Fuzzy Hash: bac4c15b4d8f946f05a907fdb64e20072e51e89e56ee6bb317c16be31f75893f
                                                                                                              • Instruction Fuzzy Hash: 4101D6315083849FC702CB59C850B5ABFB9EF86220B18C1DAE948CF356D6319851C762
                                                                                                              Function 03906DF1 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cac35c38dff4b69c3bcdc4998b2eb95f7c3ec376e1d7b1ef8c8f7dd5eb479b1c
                                                                                                              • Instruction ID: 773a640f43da3d4f1af430eb9716c941178b81910c884d8bd5991bed75d15505
                                                                                                              • Opcode Fuzzy Hash: cac35c38dff4b69c3bcdc4998b2eb95f7c3ec376e1d7b1ef8c8f7dd5eb479b1c
                                                                                                              • Instruction Fuzzy Hash: 3AF081326442105FC715DB69D84199EBFE6EEC2310309C5BAD009CB3A6EF35E8068B91
                                                                                                              Function 04A4BC67 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25fc10979e729cf35e3434e5a81be2c17573e0eda21477d449f2a1ce9e85b2cb
                                                                                                              • Instruction ID: 7aa061435a6e4a97d52d063863dd1e2a78c58ff20f6dbab4337a3b95eecb26cc
                                                                                                              • Opcode Fuzzy Hash: 25fc10979e729cf35e3434e5a81be2c17573e0eda21477d449f2a1ce9e85b2cb
                                                                                                              • Instruction Fuzzy Hash: 71F04F71E04505DF9B50DF7ED8409AEB7F5EFC92607108679E439D3290E730E9058B60
                                                                                                              Function 03907920 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 51d6304410f5112b19809ad2185db317f750e2ddaf96eb6b2128c2fe175f326c
                                                                                                              • Instruction ID: f06c9cfa73e7e64c8928ddf25bbb78e8c0b67312949bf53d67506becc8950b9d
                                                                                                              • Opcode Fuzzy Hash: 51d6304410f5112b19809ad2185db317f750e2ddaf96eb6b2128c2fe175f326c
                                                                                                              • Instruction Fuzzy Hash: 78018631A892558FC352DF6CCC505E97FF0EE0611070904EAD885CB2B2D338B909DBA1
                                                                                                              Function 04A49BF0 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 700f177c1cbe031579c81d9272a700c0bd0bb9d16b9fa65cb52b2685b8292200
                                                                                                              • Instruction ID: 29315acc5a5f63417512d6ce70725a5718b8aa4e8bb39203bdc257745310e11e
                                                                                                              • Opcode Fuzzy Hash: 700f177c1cbe031579c81d9272a700c0bd0bb9d16b9fa65cb52b2685b8292200
                                                                                                              • Instruction Fuzzy Hash: 09F078B1B001099BC724AB39EC101EEBBB6DFC8350F0041BAE509D7240DE346D86CB80
                                                                                                              Function 03900503 Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 280a995054d6cd3c316357e89f7d18c902caefd2265b18a8219e25819b8a732b
                                                                                                              • Instruction ID: ae44c5d92079fc4cdd911e9d95180ce611a86a87357fa6c73ec7c9b9e0dc0fdd
                                                                                                              • Opcode Fuzzy Hash: 280a995054d6cd3c316357e89f7d18c902caefd2265b18a8219e25819b8a732b
                                                                                                              • Instruction Fuzzy Hash: 8201E4B2E00219DFCB44DFADD8416DEBBF1EF59210B1485A6D918EB364E331AA11CF81
                                                                                                              Function 039014F3 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fe2ed1fcc0ab8a431872b6401f7477a65e9c633bec59fc4d04746c8962f59626
                                                                                                              • Instruction ID: 181ba79d46cf6fd80e8fcb964fd0ba4f3650b161365934381714382efe8aee1a
                                                                                                              • Opcode Fuzzy Hash: fe2ed1fcc0ab8a431872b6401f7477a65e9c633bec59fc4d04746c8962f59626
                                                                                                              • Instruction Fuzzy Hash: 8BF09036600218AF8F05DEACEC409EE3B67EFC8360B044029FA09D7351CB3248159BA1
                                                                                                              Function 039017F8 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 677f6c73f3fa29b10a62d6ad2c0522e325038d8724907b3f9f98a05fbe310de8
                                                                                                              • Instruction ID: 0f8d4fbf07f81f548ef1b904c00003c6e302d55fee2c1bc172f70349eb28add7
                                                                                                              • Opcode Fuzzy Hash: 677f6c73f3fa29b10a62d6ad2c0522e325038d8724907b3f9f98a05fbe310de8
                                                                                                              • Instruction Fuzzy Hash: 57F027317052109FD315562AEC405827B6AEFD6364B4514BAD048CB317C9325C8AC3A2
                                                                                                              Function 039018C8 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c9f83852b93099f784b846cb394d4b731b029817c6f11bdc9ee49696baaadaec
                                                                                                              • Instruction ID: 3528cac6bcb8ad95dcc4a64b4f8d25a2faf938864ed69a2760855ac32ca232e4
                                                                                                              • Opcode Fuzzy Hash: c9f83852b93099f784b846cb394d4b731b029817c6f11bdc9ee49696baaadaec
                                                                                                              • Instruction Fuzzy Hash: 62F0E2717403056BC625E65EB89085BBBDEEFC4764704847EE699C7304DE64ED098790
                                                                                                              Function 03904D00 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c576530a18971cf63356f0cdb2a519e8874fc5e52080b2afe5e5f7e9f652c865
                                                                                                              • Instruction ID: 368e23cb60067bda4b0b814b83bc6a1a11b0ea63fe4a9494b4f2044fe7d3f2b7
                                                                                                              • Opcode Fuzzy Hash: c576530a18971cf63356f0cdb2a519e8874fc5e52080b2afe5e5f7e9f652c865
                                                                                                              • Instruction Fuzzy Hash: 03F062B1D4020ADFCF10DF59E9157AE7BBCEB44315F02496AC2249B294DB7865198F81
                                                                                                              Function 04A4AD50 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 23b056116f5222357196e600fce8cfb940af4fe7cd1ea7e124e8dffe874e7196
                                                                                                              • Instruction ID: b9a5d1bdfbf2bf20c12eb03b6f5c7f0817d6e1ac1b5a3400664bd3964a548e0b
                                                                                                              • Opcode Fuzzy Hash: 23b056116f5222357196e600fce8cfb940af4fe7cd1ea7e124e8dffe874e7196
                                                                                                              • Instruction Fuzzy Hash: 96E02B327403185FDB14ABA9A8046EE7B9EEB80270B108069E809C7385EE319D0087C0
                                                                                                              Function 03904CF0 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d6e98ae68952bba87d38d6584090252ad6bf8f8299e5719b29bc2622bd2b5a74
                                                                                                              • Instruction ID: cf780aef14ed686c60cc3603514f86f660f36fc116b015600821b44859bc648f
                                                                                                              • Opcode Fuzzy Hash: d6e98ae68952bba87d38d6584090252ad6bf8f8299e5719b29bc2622bd2b5a74
                                                                                                              • Instruction Fuzzy Hash: D6F0FC71D402068FCF25DF64F8697AEBB78FB40301F014969C6219B2D5CB786015CF81
                                                                                                              Function 03907160 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 71efb64dabdae50806509afa16c0d26c48ea829edc66cb1cf2b2ded3fce1c774
                                                                                                              • Instruction ID: be4efacb5082edafbf56a545c0ca337c2db92dd02fe9ac3c89f7a0ea42bac914
                                                                                                              • Opcode Fuzzy Hash: 71efb64dabdae50806509afa16c0d26c48ea829edc66cb1cf2b2ded3fce1c774
                                                                                                              • Instruction Fuzzy Hash: 84F03A313416018FC325CB59D984E66BBE6AFC671171984AEE445CB7A1C775EC02CB50
                                                                                                              Function 0390054A Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 82d74cffebf6e3f8bb299671a9f8bd5fda195cbd31f409d7996bc96412ebe32a
                                                                                                              • Instruction ID: f02fe3ef06512a7dc24ca1a5e0cb4952168f2a82c85fbc58b4f537d9a2d28af4
                                                                                                              • Opcode Fuzzy Hash: 82d74cffebf6e3f8bb299671a9f8bd5fda195cbd31f409d7996bc96412ebe32a
                                                                                                              • Instruction Fuzzy Hash: 75F05E31700129CFCB14DF69C954AAEB7E5EF88750B0480A5EC05CB3A4EB35DD01CB80
                                                                                                              Function 03900A48 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c7d3e86d12c5a33f1e5779b983c91f5c351bf1b1aa44b184122d5e995e2e7649
                                                                                                              • Instruction ID: 931454cb217aad8ddcbc8bb10379dc1bb14c022716e9ba7961baa6df76a1820d
                                                                                                              • Opcode Fuzzy Hash: c7d3e86d12c5a33f1e5779b983c91f5c351bf1b1aa44b184122d5e995e2e7649
                                                                                                              • Instruction Fuzzy Hash: 2CE065757042096F4744CA8ED800D5BBBAEDFC8360714C057F90CC7354DA31D9528765
                                                                                                              Function 04A42530 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3eced9df6e3fcd269e8b5fda1b4db38fe41c0b276d608b3eee30e31a1b0377e8
                                                                                                              • Instruction ID: 1ece4f5f076d4ad026728cbb0b7339a78c341095412df2d1554103a1e81bd6d8
                                                                                                              • Opcode Fuzzy Hash: 3eced9df6e3fcd269e8b5fda1b4db38fe41c0b276d608b3eee30e31a1b0377e8
                                                                                                              • Instruction Fuzzy Hash: F5F01731A002199BDB149B68C9287EEBBB5ABCC200F100569D402B7291DBBA5801CFA1
                                                                                                              Function 04A4AD40 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c6705733e22a21f4b384bed98b53c922a8cb086766f26d75ada5bee79130e8c9
                                                                                                              • Instruction ID: adac0632038e06c973b078c84e8155113120ac24d73a6688d330b1f238bb264f
                                                                                                              • Opcode Fuzzy Hash: c6705733e22a21f4b384bed98b53c922a8cb086766f26d75ada5bee79130e8c9
                                                                                                              • Instruction Fuzzy Hash: 11F0E571B802149FDB119FB49C007EE3FAAEB80360F00856AD904DB344EE754802CBC0
                                                                                                              Function 04A4BFA8 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 487af491d03152ad40812698117dc55322218a68bcec95b06a115cf1777a0392
                                                                                                              • Instruction ID: 6d97f0b7f650b585c602e52c87045469eb43aa336c0a43f22b6fd97c54bce121
                                                                                                              • Opcode Fuzzy Hash: 487af491d03152ad40812698117dc55322218a68bcec95b06a115cf1777a0392
                                                                                                              • Instruction Fuzzy Hash: 12E086327401180B4614A9AEB54486B77DFCBC56653080077E60DC3294DE54EC058671
                                                                                                              Function 04A47F2B Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f78c2ecc67f6e30868e368d5b33a63543733bb3ed1307fc906768e5eefb36dba
                                                                                                              • Instruction ID: 06ce2ff6e914e3abb8a42d01149226854fcb0fe1ab396a3cbf5c9c4e49cffe78
                                                                                                              • Opcode Fuzzy Hash: f78c2ecc67f6e30868e368d5b33a63543733bb3ed1307fc906768e5eefb36dba
                                                                                                              • Instruction Fuzzy Hash: 00F01735E102198FCB00DFA8D848ADCBBB5FF89310F1082A6E009E7220EB316A95CF51
                                                                                                              Function 03900510 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc4a01ee0c14f1335b7faea0ea3aee85f7d02a713da43731852824a7f08e95d9
                                                                                                              • Instruction ID: d4f59a95ab22f9442c3ff75a171fd34d1eb45d442d18ab331b0e889e2aaf483f
                                                                                                              • Opcode Fuzzy Hash: dc4a01ee0c14f1335b7faea0ea3aee85f7d02a713da43731852824a7f08e95d9
                                                                                                              • Instruction Fuzzy Hash: 5EF0D471E00219DF8B44DFADC84069EFBF5EF49200B24C46AD918E7210E331AA12CFC0
                                                                                                              Function 04A4BFA0 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c82e0040b3fbf2c2a2f5fefd29b27875e96f525805146f1cac417cd7101026b5
                                                                                                              • Instruction ID: bf4053b571edd32a22bd1e4d38ea5fea913f9fcc03a4ca246e30e8b96b7f24c0
                                                                                                              • Opcode Fuzzy Hash: c82e0040b3fbf2c2a2f5fefd29b27875e96f525805146f1cac417cd7101026b5
                                                                                                              • Instruction Fuzzy Hash: ACE08631740518574714AE9EA54496B76EF9FC965170800B6E54EC7394DF54EC01C7B2
                                                                                                              Function 03906E61 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69287ea56591bcc9062fab8e1a1d6ec45afc6051c714181d9c5116ad51ef6e5f
                                                                                                              • Instruction ID: f929c595247a9e7c48496ec16960fae09253d72c1b3dd568d6eb6ee182835934
                                                                                                              • Opcode Fuzzy Hash: 69287ea56591bcc9062fab8e1a1d6ec45afc6051c714181d9c5116ad51ef6e5f
                                                                                                              • Instruction Fuzzy Hash: 03F015B6D01229DFCB40DFACC80559DFBB4EF88214B5585A9D818EB211E331AA12CFD1
                                                                                                              Function 03907170 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef72a71a5d15018d7e16e84a65cc2417fc9b76f1d5ae3e1579898cc07d4975ac
                                                                                                              • Instruction ID: b412fe679f73c8c305b176cde2628698f348623d56b788dda01c24aa5c0bd526
                                                                                                              • Opcode Fuzzy Hash: ef72a71a5d15018d7e16e84a65cc2417fc9b76f1d5ae3e1579898cc07d4975ac
                                                                                                              • Instruction Fuzzy Hash: D7E092303403048FC314DB59D544D16BBEAEFC6725B1584A9E5098B3A1CB71FC41CB50
                                                                                                              Function 03901808 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7335affd9b24703229d25666eee39fd6d6baff0f3015ed9129ffc1f54eb7e636
                                                                                                              • Instruction ID: cf6c248d0632f7770142930c3256819e745ff392bfc046f324b06bcd64d6156d
                                                                                                              • Opcode Fuzzy Hash: 7335affd9b24703229d25666eee39fd6d6baff0f3015ed9129ffc1f54eb7e636
                                                                                                              • Instruction Fuzzy Hash: 28E02C32B012002BC328A62AEC40997B3AEEBC8724F20487CE10CC7302CD329C4B82A0
                                                                                                              Function 03902EB1 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 15d4d461d04eaf8f98d5766b79e1e83f3f3b1d01cb25df392d2d81a4d74377b2
                                                                                                              • Instruction ID: 423802adf08dc15ebba9e45b41e48a26f4ffb5a5eb5b0dd1230f0b75c9565e25
                                                                                                              • Opcode Fuzzy Hash: 15d4d461d04eaf8f98d5766b79e1e83f3f3b1d01cb25df392d2d81a4d74377b2
                                                                                                              • Instruction Fuzzy Hash: C3E06D30941109AFCB05DFA8E881A9CB7B5FF8530071446A9C404DB751CB346E1ADB80
                                                                                                              Function 04A4BD00 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c4ca8122834e23ab85c07a2d0eaacca5553540b77556a7a3d1db15649ba8d981
                                                                                                              • Instruction ID: 7a36bef3a41fa567a9a14bcf4596f7f320e8503c0dc46981035aebf8484559a6
                                                                                                              • Opcode Fuzzy Hash: c4ca8122834e23ab85c07a2d0eaacca5553540b77556a7a3d1db15649ba8d981
                                                                                                              • Instruction Fuzzy Hash: 2FF03972905149EFDB02CFA0DD049D9BFB1EB1A310B00809AF90687620D7314A61EB50
                                                                                                              Function 04A430F8 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 72eedc2cb36e7206fd805f2872198909718770bd92795b6bafbc886784f81568
                                                                                                              • Instruction ID: a37562f6feba07a1c064be7158f122b9223e9f628bdb63fc6c21f490688850a8
                                                                                                              • Opcode Fuzzy Hash: 72eedc2cb36e7206fd805f2872198909718770bd92795b6bafbc886784f81568
                                                                                                              • Instruction Fuzzy Hash: 93F06D752442108FC300CF68D890F957BB0EF49314F0145D9E6168FBB2C2B6EC42CB40
                                                                                                              Function 039067D0 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ea75026b08bce1f4ccb71e3f4d42570c0f3ed94acafad4e46f9b4f9b5a316c44
                                                                                                              • Instruction ID: 328bffc818fbae45959efbe569782c002ed04164929898d4924d56482ba672f7
                                                                                                              • Opcode Fuzzy Hash: ea75026b08bce1f4ccb71e3f4d42570c0f3ed94acafad4e46f9b4f9b5a316c44
                                                                                                              • Instruction Fuzzy Hash: A0E02631B105004FCB64DB3CD880EAE33E56F9422472182A4D00DCB361EA30AC01C791
                                                                                                              Function 04A4ADB0 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8580185c32d6964f0850f1718c97098bf8d0ff55997271505d6b89919f27e3a2
                                                                                                              • Instruction ID: fde6d15c315df0d2cbc252f090d4a160ffe592e4a0a3e4e770eee3804889b7d3
                                                                                                              • Opcode Fuzzy Hash: 8580185c32d6964f0850f1718c97098bf8d0ff55997271505d6b89919f27e3a2
                                                                                                              • Instruction Fuzzy Hash: 66D0123624121A87E7289F9EE400395B799DFC0352F14853A948DC755CD5F7588197C0
                                                                                                              Function 04A46F48 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2934da816746eb17ff2b752543ce05d15fe255be229b0edaf7682c7d590895ce
                                                                                                              • Instruction ID: 223488f02ac63a544f1cf7c92bad3e82ec8428c547eaa89db8b3f5fab4788156
                                                                                                              • Opcode Fuzzy Hash: 2934da816746eb17ff2b752543ce05d15fe255be229b0edaf7682c7d590895ce
                                                                                                              • Instruction Fuzzy Hash: 98E08672186A89EFD741CF3CE951CAD3FB5FA463103400996E486DB273DA28DC2AD761
                                                                                                              Function 04A46203 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08130bd52185b9937f8f94e0dd6b0e0692bc42474632a976c8517950e80d4284
                                                                                                              • Instruction ID: 9f05e14665cac31b19f602c85955fd517e6b4b1872d2113d1578df0e66cb26bb
                                                                                                              • Opcode Fuzzy Hash: 08130bd52185b9937f8f94e0dd6b0e0692bc42474632a976c8517950e80d4284
                                                                                                              • Instruction Fuzzy Hash: 05E0C27288D2D04FC302DBB8E9A5CCCBF70AE1B26472505CBE405CB277D6156807C701
                                                                                                              Function 04A46F80 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54cd14672f22a66e4edba62af0303de91551f5e25c241b9f9f567502c7cbb0e2
                                                                                                              • Instruction ID: 98e04a8b65f000f685625b25263d94e476206ef3ce6ce3277601d8d2768a5a6e
                                                                                                              • Opcode Fuzzy Hash: 54cd14672f22a66e4edba62af0303de91551f5e25c241b9f9f567502c7cbb0e2
                                                                                                              • Instruction Fuzzy Hash: 30E04FB4985208ABDB41EFF49D05BCD7FB4AB05201F1081E9D604A7190E63516509B91
                                                                                                              Function 04A44061 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c38f8ad0347a0af2de6f4fd8cb1f04989e64cf29808baf05d4ac456d023bcd5
                                                                                                              • Instruction ID: 061eb7fa0e98cfc4066aec8a47e520f638df75bf52c73ad75065540f23a5ffe9
                                                                                                              • Opcode Fuzzy Hash: 3c38f8ad0347a0af2de6f4fd8cb1f04989e64cf29808baf05d4ac456d023bcd5
                                                                                                              • Instruction Fuzzy Hash: 0CE04F7098120DEFDB40DFA8EA4059DBBF5EB45310F4086A9D508E7211EA396F5A8B40
                                                                                                              Function 03906E70 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fa926553dbea9c7a5430891b9108979a3f16cc4d36da4f487aa00aa9d94c7079
                                                                                                              • Instruction ID: 59e774b61e2737ed144d69dc1ee0f754f25ac75693aabbf56f4c3d5c5578bc1a
                                                                                                              • Opcode Fuzzy Hash: fa926553dbea9c7a5430891b9108979a3f16cc4d36da4f487aa00aa9d94c7079
                                                                                                              • Instruction Fuzzy Hash: CCE0B671D002299F8B80EFADD9015AEFBF4EF48210B10846AD91CE7201E3329B12CFC1
                                                                                                              Function 04A48C6C Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction ID: 0d112696c7befe9b74d503c03b9a6714a1c49ff75639748167244edcc2266af6
                                                                                                              • Opcode Fuzzy Hash: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction Fuzzy Hash: 9CE0E535E102098ACB01DFA4D8406DDFB75FF86324F104256E50477110E7712AD8CB91
                                                                                                              Function 04A48C78 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction ID: 0d112696c7befe9b74d503c03b9a6714a1c49ff75639748167244edcc2266af6
                                                                                                              • Opcode Fuzzy Hash: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction Fuzzy Hash: 9CE0E535E102098ACB01DFA4D8406DDFB75FF86324F104256E50477110E7712AD8CB91
                                                                                                              Function 04A48D70 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction ID: 0d112696c7befe9b74d503c03b9a6714a1c49ff75639748167244edcc2266af6
                                                                                                              • Opcode Fuzzy Hash: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction Fuzzy Hash: 9CE0E535E102098ACB01DFA4D8406DDFB75FF86324F104256E50477110E7712AD8CB91
                                                                                                              Function 04A49151 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction ID: 0d112696c7befe9b74d503c03b9a6714a1c49ff75639748167244edcc2266af6
                                                                                                              • Opcode Fuzzy Hash: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction Fuzzy Hash: 9CE0E535E102098ACB01DFA4D8406DDFB75FF86324F104256E50477110E7712AD8CB91
                                                                                                              Function 04A4915D Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction ID: 0d112696c7befe9b74d503c03b9a6714a1c49ff75639748167244edcc2266af6
                                                                                                              • Opcode Fuzzy Hash: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction Fuzzy Hash: 9CE0E535E102098ACB01DFA4D8406DDFB75FF86324F104256E50477110E7712AD8CB91
                                                                                                              Function 04A48A21 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction ID: 0d112696c7befe9b74d503c03b9a6714a1c49ff75639748167244edcc2266af6
                                                                                                              • Opcode Fuzzy Hash: 9a3ba80c3053184267ab67b32cba88c442d006dfca0cdfeb4f0dce71791f3ef0
                                                                                                              • Instruction Fuzzy Hash: 9CE0E535E102098ACB01DFA4D8406DDFB75FF86324F104256E50477110E7712AD8CB91
                                                                                                              Function 03900BE3 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4f75bccc75a1ef91d84c6201f6fad660581879ca477e04fbd94c08118cadf7a3
                                                                                                              • Instruction ID: c21a74159f1833659ab1356e0eec53d03f7bd891942657eb3b5ac37e13604e08
                                                                                                              • Opcode Fuzzy Hash: 4f75bccc75a1ef91d84c6201f6fad660581879ca477e04fbd94c08118cadf7a3
                                                                                                              • Instruction Fuzzy Hash: 21E08631408B48CFCB01BF78D850455BBB4FE97300B089AC6D4899F122EB31D594D782
                                                                                                              Function 04A4CFE0 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d827afd0428dc48f3f98643ca468acfba9d1a217b78ff352f2fd17aa32b93f2
                                                                                                              • Instruction ID: f48c1db23664e295b9a2c5942da12949f02d5d1b65cb682d9251bcfb731457a6
                                                                                                              • Opcode Fuzzy Hash: 5d827afd0428dc48f3f98643ca468acfba9d1a217b78ff352f2fd17aa32b93f2
                                                                                                              • Instruction Fuzzy Hash: 48E04FB1A4A248EFC700DFB8EA5446C7BBADF45201B1501EAE808D7361EA346E099751
                                                                                                              Function 04A4F7E3 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7a13efb602857c0d1a84750264f9b8153d1bae59bfd0d3aa98aa23e08c68649f
                                                                                                              • Instruction ID: d5aa4a91391bda4476ce1dffb4e5a7d4529929290f4ca4b2073393de367cda71
                                                                                                              • Opcode Fuzzy Hash: 7a13efb602857c0d1a84750264f9b8153d1bae59bfd0d3aa98aa23e08c68649f
                                                                                                              • Instruction Fuzzy Hash: 2AE0CD71B456106FC3054B60EC05995BF75FF5A310B06C056E90487253DA755C13C780
                                                                                                              Function 04A42810 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5e55460df242fb9133bc832b1d96ebf748c89ad6d4acc4f3aaa476cffd4e344e
                                                                                                              • Instruction ID: a3a45ff3b16ecc5dc9c8a7e193261761860d88223c64c251dc23f7ac02a46faf
                                                                                                              • Opcode Fuzzy Hash: 5e55460df242fb9133bc832b1d96ebf748c89ad6d4acc4f3aaa476cffd4e344e
                                                                                                              • Instruction Fuzzy Hash: 49E08CB0A44602CFD710CF68A180A5537E0ABC822474045AAE405CF324E639EC838B41
                                                                                                              Function 039067E0 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 97f129ee5f59e69ecd42ed2b4928cc2814b03e7eaa0097d3c40604b74efd4c17
                                                                                                              • Instruction ID: d5b6edb859b299738b16f7527d8030802e2d3e125e8ea3fbd6ed28ffc645cee6
                                                                                                              • Opcode Fuzzy Hash: 97f129ee5f59e69ecd42ed2b4928cc2814b03e7eaa0097d3c40604b74efd4c17
                                                                                                              • Instruction Fuzzy Hash: 9BD05E347601144FC794E738D44486E73DAAF8862439140A4D40DCB320EE60EC0147D1
                                                                                                              Function 04A46F08 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3a3a0d8a447fa893226bf9c4d03144c6bd8aea07afd0e223765a1fa6f843181d
                                                                                                              • Instruction ID: b7f82e6403709cea801a9c1e377d12305b7000773c32eff6fdaed6d4415b72ed
                                                                                                              • Opcode Fuzzy Hash: 3a3a0d8a447fa893226bf9c4d03144c6bd8aea07afd0e223765a1fa6f843181d
                                                                                                              • Instruction Fuzzy Hash: CAE04F314147099FC700EFA4D950495FBB4EF85210F00C59FD9494B222EB75D692CB81
                                                                                                              Function 03902EC0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2668a01e8fbcb800ffb3e40b9f2f810b57f0a8596ec4d5c087b7ebd8ae54c2ec
                                                                                                              • Instruction ID: ead395b23b5ad91477e8160aaee214086da762f2246e9d3bd4c12b142f506649
                                                                                                              • Opcode Fuzzy Hash: 2668a01e8fbcb800ffb3e40b9f2f810b57f0a8596ec4d5c087b7ebd8ae54c2ec
                                                                                                              • Instruction Fuzzy Hash: 7BD01770A0110CFF8B04EFA8E90199DBBBDEB46201B1045E9D808D7300EA316F089B81
                                                                                                              Function 039078E0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 41ca632f05fe25448d68d7dfd4f101da872855daa979b248fef14dde336039b9
                                                                                                              • Instruction ID: a7b0e0ae466496ea2aed38b80098e27b27f00f92e14df6f9fd6c4ac7334d2383
                                                                                                              • Opcode Fuzzy Hash: 41ca632f05fe25448d68d7dfd4f101da872855daa979b248fef14dde336039b9
                                                                                                              • Instruction Fuzzy Hash: 9BD01770A4520CFF8B14EFA8E90199DB7F9EB44200F1046A8D409D7300EB316F089F91
                                                                                                              Function 04A46F90 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 60d7e4b74a8b2da6730fa0ce9e160a1c601fc4241d09dd6c01d76000a01e088d
                                                                                                              • Instruction ID: d2e64a345a1cc260cac61008e6bcc7189c5e6d705916e964a56edb39602d596a
                                                                                                              • Opcode Fuzzy Hash: 60d7e4b74a8b2da6730fa0ce9e160a1c601fc4241d09dd6c01d76000a01e088d
                                                                                                              • Instruction Fuzzy Hash: CFD05E75D4120CBACF40EBF88D01ACDBFB4AF04200F1001A5DA08A2190EA3117609781
                                                                                                              Function 04A4CFF0 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 451afa49290e818f10eef6e3876f4527f3d84f2308b7b8cf0cfdd3916efec600
                                                                                                              • Instruction ID: 1d463bd0bd6e8d084afd8502dbadf2578e7114dd43e914d95b16a08fe9f82e1f
                                                                                                              • Opcode Fuzzy Hash: 451afa49290e818f10eef6e3876f4527f3d84f2308b7b8cf0cfdd3916efec600
                                                                                                              • Instruction Fuzzy Hash: 0DD01770A02208EFCB00EFA8EA4199DB7BDEB44205B1145A9E808E3311EA317F099B91
                                                                                                              Function 04A44070 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a775aba019d6e371bbcb0da29e7680754e95b70dd0eda296b9aa2d3ec709f31d
                                                                                                              • Instruction ID: dbc270765b09fccee09df2f45085ddcad27b393c97ed65add77a091679ccd8fd
                                                                                                              • Opcode Fuzzy Hash: a775aba019d6e371bbcb0da29e7680754e95b70dd0eda296b9aa2d3ec709f31d
                                                                                                              • Instruction Fuzzy Hash: CCD01270940108EFCB40DFA8E90159DB7B9EB44214F5089A9D408E3251DA326F189B41
                                                                                                              Function 04A43B4D Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8192086c4269a959b2ea718e790212dfe29bbe0061de1f7f22697b5c6ad68f0
                                                                                                              • Instruction ID: 29683b741cc3af7b1ff693e045de3dfa3743eaf8374ff9506fdc28a3a02572fb
                                                                                                              • Opcode Fuzzy Hash: e8192086c4269a959b2ea718e790212dfe29bbe0061de1f7f22697b5c6ad68f0
                                                                                                              • Instruction Fuzzy Hash: 3FE017B55065408FC701CB28E584888BBB0EF6A20D32A82C2E04CCB267DB21E802CBA0
                                                                                                              Function 039067AA Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 677cc1d646cc964ad9fc3618ccdcec0f989a024fc456c02da031193feefd89e5
                                                                                                              • Instruction ID: 8685ddc361429818630498be543b04aab50a2382a348536858f1d6a4c1a5d924
                                                                                                              • Opcode Fuzzy Hash: 677cc1d646cc964ad9fc3618ccdcec0f989a024fc456c02da031193feefd89e5
                                                                                                              • Instruction Fuzzy Hash: 07D017752080408FC705CB00C8A5808FBB1AF8920430DC1C998498F397C729E812CB91
                                                                                                              Function 03900BF0 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78c776afdfa476063b1fb67a99d2e81ab63893c1e07963937149e038bae2dd2f
                                                                                                              • Instruction ID: ae8de28d2e78e46e0ac55c40e72818d0d113b28dc96a9ae9a910ff348ad2f622
                                                                                                              • Opcode Fuzzy Hash: 78c776afdfa476063b1fb67a99d2e81ab63893c1e07963937149e038bae2dd2f
                                                                                                              • Instruction Fuzzy Hash: F4D0C73181470D89C700BB78D454469F778EED5200F04C75AE44D57121FF70D5D0D681
                                                                                                              Function 04A46F58 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ca03deb582254a82f787621fa36bbc17d9b71174fa6cdcf0b5321139b311f806
                                                                                                              • Instruction ID: d3a9220974bf461e4f8c599d66823e7fab5998476211e52f0cb3db39bf07120d
                                                                                                              • Opcode Fuzzy Hash: ca03deb582254a82f787621fa36bbc17d9b71174fa6cdcf0b5321139b311f806
                                                                                                              • Instruction Fuzzy Hash: 48D0C93224020D8F8704DFACD544C5D33E5AF896147400154F60597232CB30EC14DBA1
                                                                                                              Function 04A43721 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 407279ead3ca79fcb3f56ff46d58062d4804b31fcbfe6cc98483ba92ed289562
                                                                                                              • Instruction ID: f0f9f1cb63b8137aa0967b0b3162ed5686c91cbb622186b638033e1c80392298
                                                                                                              • Opcode Fuzzy Hash: 407279ead3ca79fcb3f56ff46d58062d4804b31fcbfe6cc98483ba92ed289562
                                                                                                              • Instruction Fuzzy Hash: D0D01274142201CFD304CF59C9C1548BFE0FB4A214B54819DC559CB652CB795487CF11
                                                                                                              Function 04A40E10 Relevance: .0, Instructions: 10COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3574f91add6425d6ee64bf542a89343764f5fbe7802e4e8de193ebe129334f5f
                                                                                                              • Instruction ID: 5c05fcabdc02c7417abbc28107fd6308c55e240be7796f286298cec51a1e4c66
                                                                                                              • Opcode Fuzzy Hash: 3574f91add6425d6ee64bf542a89343764f5fbe7802e4e8de193ebe129334f5f
                                                                                                              • Instruction Fuzzy Hash: 10C012B104F2C14FC751A774565AB453F21D7F3305F0940A9E2855E05795390025E761
                                                                                                              Function 04A43B60 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36f8bfab13cd057fd3552da75a2089a267d0e53626c1d187abbf0cf2a6b65772
                                                                                                              • Instruction ID: 50febbe312b41ff2c4c3a49cd703755e7e3a6811debab3536aaf097181569e9c
                                                                                                              • Opcode Fuzzy Hash: 36f8bfab13cd057fd3552da75a2089a267d0e53626c1d187abbf0cf2a6b65772
                                                                                                              • Instruction Fuzzy Hash: D3C002792501048F8700DB58E688C117BE8AB486143258194E5088B322C621FC018A91
                                                                                                              Function 03904C90 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3968277831.0000000003900000.00000040.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_3900000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 53bc457443256160182b3da6039d10d0bab660199c4a07255c1ec908cc266a69
                                                                                                              • Instruction ID: 30902c46011f96b9d021308a9df19fb733557d47e3ca7c8fbbd1c9e220ee20cc
                                                                                                              • Opcode Fuzzy Hash: 53bc457443256160182b3da6039d10d0bab660199c4a07255c1ec908cc266a69
                                                                                                              • Instruction Fuzzy Hash: DBC02B0000DBA00FCF0397349C10F6ABFB85FC6601F8844ECE0818E006F1500504C3D2
                                                                                                              Function 04A46210 Relevance: .0, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e531c7556f3d527dcef1ec037cf9e2717eba03a4d407757c40db45949829b8d
                                                                                                              • Instruction ID: fba1df006ee47b4d62fcc1013010dd0c3d3c4d475ad279116ed82f1df4468255
                                                                                                              • Opcode Fuzzy Hash: 9e531c7556f3d527dcef1ec037cf9e2717eba03a4d407757c40db45949829b8d
                                                                                                              • Instruction Fuzzy Hash: D6B092311502088F82009B58D444C0073A8AB08A243010090E1088B232C621FC018A40
                                                                                                              Function 04A4370B Relevance: .0, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3972631485.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4a40000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad50603b712654c3c7eb866ebbbd6f30a0fd6618cf8c724eb0191a992cb7c224
                                                                                                              • Instruction ID: f9f695afdd8f9f0f817104bb07ddc3e1040060961eb126ba51faf3da82b3ab95
                                                                                                              • Opcode Fuzzy Hash: ad50603b712654c3c7eb866ebbbd6f30a0fd6618cf8c724eb0191a992cb7c224
                                                                                                              • Instruction Fuzzy Hash: 28B00271914849A75F40CD01995A1C9F760BB543047554554C95045041D730557DC5C5

                                                                                                              Non-executed Functions

                                                                                                              Function 00F9D588 Relevance: 2.9, Strings: 2, Instructions: 373COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.3951188068.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_f90000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Haq$Haq
                                                                                                              • API String ID: 0-4016896955
                                                                                                              • Opcode ID: 18319083c032ca7604a792457be0d60f65775289e741b179a9b5d09c506d1636
                                                                                                              • Instruction ID: 22d219820bfd66a99a0fe707308872573148af752f53ea5d4709e3d4e9687541
                                                                                                              • Opcode Fuzzy Hash: 18319083c032ca7604a792457be0d60f65775289e741b179a9b5d09c506d1636
                                                                                                              • Instruction Fuzzy Hash: 56E16131D1065A8FCF05DFA8C8405DEFBB1FF99310F25865AE415BB211EB34AA86CB91

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:7.1%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:8
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 28910 7ff848a68014 28912 7ff848a6801d 28910->28912 28911 7ff848a68082 28912->28911 28913 7ff848a680f6 SetProcessMitigationPolicy 28912->28913 28914 7ff848a68152 28913->28914 28915 7ff848a63642 28916 7ff848a85690 CreateNamedPipeW 28915->28916 28918 7ff848a857c3 28916->28918

                                                                                                              Executed Functions

                                                                                                              Function 00007FF848D78EF8 Relevance: 4.6, Strings: 2, Instructions: 2149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 8/H$@*H
                                                                                                              • API String ID: 0-1717671004
                                                                                                              • Opcode ID: e2344d7d28a4a92c1b6c3616bdcf94bd690ead7bd9efdbe9a1c0442ab73e9676
                                                                                                              • Instruction ID: fcbb2ac392968ddbaacf6cfa6a12f3df3f0d5be409b17c44b3148bee829c7d0c
                                                                                                              • Opcode Fuzzy Hash: e2344d7d28a4a92c1b6c3616bdcf94bd690ead7bd9efdbe9a1c0442ab73e9676
                                                                                                              • Instruction Fuzzy Hash: E0036C30E0A6598FEB69EB28C8957A8B7B1EF58340F1441F9D40DE7292DF34AD85CB44
                                                                                                              Function 00007FF848D8422D Relevance: 3.6, Strings: 2, Instructions: 1065COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ($U
                                                                                                              • API String ID: 0-603359895
                                                                                                              • Opcode ID: 78d49dee8c4662987878979885a8f4d8531fae9131b469d9793234a1dd391252
                                                                                                              • Instruction ID: 88be23aa84a4dde4bbf83e2bf06444cbd6f3d025d96964af3651ca80807d3860
                                                                                                              • Opcode Fuzzy Hash: 78d49dee8c4662987878979885a8f4d8531fae9131b469d9793234a1dd391252
                                                                                                              • Instruction Fuzzy Hash: DD82D6B180E7C64FE366AB2448167E93BE1EF56350F0405FAD4998F1E3EF18650E8396
                                                                                                              Function 00007FF848D76991 Relevance: 1.9, Instructions: 1910COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6b39ebce52eace0c93deed63fd664d9de878be9cfa96665d63ca4b7c13e6f315
                                                                                                              • Instruction ID: 5d3ff684ed0abd7a55e047e4273ba9a1c9f96aa322b3e710a11b6672cfa35af2
                                                                                                              • Opcode Fuzzy Hash: 6b39ebce52eace0c93deed63fd664d9de878be9cfa96665d63ca4b7c13e6f315
                                                                                                              • Instruction Fuzzy Hash: 5CD22231E1EA8A8FEBA9FB2894557B977D1EF94380F14047DC44EC72C6DF28A8498345
                                                                                                              Function 00007FF848D7CF0A Relevance: .3, Instructions: 309COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7a88123e3343e8267cb1187b1c1f58b78537b799bde3e2838d17ed1524538639
                                                                                                              • Instruction ID: d4633a712bab3fd497ed2a7cf27b378c3f855cac087daa6f82e6573a43f272c6
                                                                                                              • Opcode Fuzzy Hash: 7a88123e3343e8267cb1187b1c1f58b78537b799bde3e2838d17ed1524538639
                                                                                                              • Instruction Fuzzy Hash: F3D18C70D0E2458FEB58EB2488627AD37A0EF45350F4001BED54ED72C2DF396A4A8B96
                                                                                                              Function 00007FF848D7C802 Relevance: 5.7, Strings: 4, Instructions: 715COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: h`H$h`H$paH$paH
                                                                                                              • API String ID: 0-2843909100
                                                                                                              • Opcode ID: f9b0e19edcb8d1539f751ac9fdbf3e155cdf59173832d38a1682801529e265e6
                                                                                                              • Instruction ID: 13acc773ceed62f28f58322d2793c83bcbbb38e6522550bedbe9f1f3901a9d86
                                                                                                              • Opcode Fuzzy Hash: f9b0e19edcb8d1539f751ac9fdbf3e155cdf59173832d38a1682801529e265e6
                                                                                                              • Instruction Fuzzy Hash: 4F12D22BB0E5629EE611FA6DB4422FC6750EFD13B2F140177D24DDB083DE18768E42A9
                                                                                                              Function 00007FF848D7CBFB Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: h`H$h`H$paH$paH
                                                                                                              • API String ID: 0-2843909100
                                                                                                              • Opcode ID: 517f20421218683d69ecbee24d21a9b384ae2dd8a060303b5317f253360fd17f
                                                                                                              • Instruction ID: 2ef2ccfd0fc6ced49d31f1983b5011acc9f6429fb30e0daf0530448ad4172c91
                                                                                                              • Opcode Fuzzy Hash: 517f20421218683d69ecbee24d21a9b384ae2dd8a060303b5317f253360fd17f
                                                                                                              • Instruction Fuzzy Hash: F1416C52F1DD8A5FE799FA3C58566B92BD1EF98680F5400B6D40CC3297DD149C468342
                                                                                                              Function 00007FF848D7BE05 Relevance: 3.9, Strings: 3, Instructions: 169COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 645 7ff848d7be05-7ff848d7be50 647 7ff848d7be9c-7ff848d7bebf 645->647 648 7ff848d7be52-7ff848d7be5d 645->648 651 7ff848d7bec5-7ff848d7bed7 647->651 652 7ff848d7bf54-7ff848d7bf57 647->652 648->647 653 7ff848d7bf1f-7ff848d7bf71 651->653 654 7ff848d7bed9-7ff848d7bef6 651->654 655 7ff848d7bf59-7ff848d7bf5a 652->655 656 7ff848d7bf61-7ff848d7bf68 652->656 657 7ff848d7bf72-7ff848d7bf81 653->657 654->657 660 7ff848d7bef8-7ff848d7bf1d 654->660 655->656 656->657 664 7ff848d7bf86-7ff848d7bfdd 657->664 665 7ff848d7bf83-7ff848d7bf85 657->665 660->653 665->664
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0GH$DH$FH
                                                                                                              • API String ID: 0-3229941801
                                                                                                              • Opcode ID: 6d761023cb50d8b1db362f32ef1e8ad58d97061ad4340ca4ea22577c91f16af3
                                                                                                              • Instruction ID: 8ccf749989355409ec3817ecfda9b3cd8f643f57173c2304e445de7cd7179362
                                                                                                              • Opcode Fuzzy Hash: 6d761023cb50d8b1db362f32ef1e8ad58d97061ad4340ca4ea22577c91f16af3
                                                                                                              • Instruction Fuzzy Hash: F0413B2191FBD60FE786A73CA8656B57BE0FF52650B1841FBD089CB1D3DE18AC098381
                                                                                                              Function 00007FF848D7B39A Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0,H$@*H
                                                                                                              • API String ID: 0-1274844609
                                                                                                              • Opcode ID: d1a745369858201f2ae9f8fa769197caffab0ce49b2eca18dd103f42069af45e
                                                                                                              • Instruction ID: 39430fb815986b43a229425fd939febda508d653d51a0ebba1e224dd86b5c5fa
                                                                                                              • Opcode Fuzzy Hash: d1a745369858201f2ae9f8fa769197caffab0ce49b2eca18dd103f42069af45e
                                                                                                              • Instruction Fuzzy Hash: 6F418331A1D95B8FEB98FA2894957B933E1FF94384F5445B9C40DC3286DF38AC464784
                                                                                                              Function 00007FF848A68014 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3969683544.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848a60000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: 3f6496f6c3258340acc9721827b92751229bfaa5e5acdd61072d9d81d28c842d
                                                                                                              • Instruction ID: 53910eca3d1dae4f25a21d945555194d2288330896940c004b653f99a925fabc
                                                                                                              • Opcode Fuzzy Hash: 3f6496f6c3258340acc9721827b92751229bfaa5e5acdd61072d9d81d28c842d
                                                                                                              • Instruction Fuzzy Hash: 40413931D1DB498FDB15EF689C4A5F97BE0EF55350F04027EE089C3192DB68A846C792
                                                                                                              Function 00007FF848A63642 Relevance: 1.7, APIs: 1, Instructions: 172pipeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1784 7ff848a63642-7ff848a856fa 1787 7ff848a856fc-7ff848a85701 1784->1787 1788 7ff848a85704-7ff848a857c1 CreateNamedPipeW 1784->1788 1787->1788 1790 7ff848a857c9-7ff848a857fc 1788->1790 1791 7ff848a857c3 1788->1791 1791->1790
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3969683544.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848a60000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2489174969-0
                                                                                                              • Opcode ID: 84d6c8167fdcd052fcf442a37d136b77c5a7e4868baf6583c2ffacbfd56549e8
                                                                                                              • Instruction ID: feb53188b132261c74d6f28ca17182a02415e34f137493eada164afa2fbe11b2
                                                                                                              • Opcode Fuzzy Hash: 84d6c8167fdcd052fcf442a37d136b77c5a7e4868baf6583c2ffacbfd56549e8
                                                                                                              • Instruction Fuzzy Hash: 0051A17191CA1C8FDB68EF5C9846BE9B7E0FB59710F0442AEE44DD3241CB70A8418BD2
                                                                                                              Function 00007FF848D7C528 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1793 7ff848d7c528-7ff848d7c53a 1795 7ff848d7c53c-7ff848d7c541 1793->1795 1796 7ff848d7c584-7ff848d7c586 1793->1796 1798 7ff848d7c543-7ff848d7c56a 1795->1798 1799 7ff848d7c5c2 1795->1799 1800 7ff848d7c58a 1796->1800 1798->1800 1841 7ff848d7c56c-7ff848d7c581 1798->1841 1803 7ff848d7c5c4-7ff848d7c5c6 1799->1803 1804 7ff848d7c5e2 1799->1804 1801 7ff848d7c58c-7ff848d7c5a9 1800->1801 1802 7ff848d7c5aa 1800->1802 1801->1802 1808 7ff848d7c5ac-7ff848d7c5c1 1802->1808 1809 7ff848d7c5ca 1802->1809 1803->1809 1806 7ff848d7c5e4-7ff848d7c5e9 1804->1806 1807 7ff848d7c602 1804->1807 1811 7ff848d7c5ea 1806->1811 1812 7ff848d7c604-7ff848d7c606 1807->1812 1813 7ff848d7c622 1807->1813 1808->1799 1809->1811 1814 7ff848d7c5cc-7ff848d7c5de 1809->1814 1818 7ff848d7c5ec-7ff848d7c601 1811->1818 1819 7ff848d7c60a 1811->1819 1812->1819 1816 7ff848d7c624-7ff848d7c629 1813->1816 1817 7ff848d7c642 1813->1817 1814->1804 1822 7ff848d7c62a 1816->1822 1825 7ff848d7c643-7ff848d7c649 1817->1825 1826 7ff848d7c662 1817->1826 1818->1807 1821 7ff848d7c60c-7ff848d7c61e 1819->1821 1819->1822 1821->1813 1830 7ff848d7c62c-7ff848d7c641 1822->1830 1831 7ff848d7c64a 1822->1831 1825->1831 1834 7ff848d7c6c9 1825->1834 1827 7ff848d7c664-7ff848d7c669 1826->1827 1828 7ff848d7c682 1826->1828 1836 7ff848d7c66a 1827->1836 1842 7ff848d7c684-7ff848d7c687 1828->1842 1843 7ff848d7c6a2 1828->1843 1830->1817 1888 7ff848d7c6c1 1830->1888 1835 7ff848d7c64b-7ff848d7c65f 1831->1835 1831->1836 1838 7ff848d7c6cc-7ff848d7c6d1 1834->1838 1839 7ff848d7c6ea 1834->1839 1835->1826 1847 7ff848d7c66c-7ff848d7c672 1836->1847 1848 7ff848d7c68a 1836->1848 1844 7ff848d7c750-7ff848d7c75f 1838->1844 1851 7ff848d7c6ec-7ff848d7c6ee 1839->1851 1852 7ff848d7c70a 1839->1852 1841->1796 1842->1848 1845 7ff848d7c6a4-7ff848d7c6a8 1843->1845 1846 7ff848d7c6c2 1843->1846 1893 7ff848d7c762-7ff848d7c773 1844->1893 1860 7ff848d7c6aa 1845->1860 1861 7ff848d7c718-7ff848d7c71e 1845->1861 1853 7ff848d7c6c4-7ff848d7c6c6 1846->1853 1854 7ff848d7c6e2 1846->1854 1876 7ff848d7c674-7ff848d7c67a 1847->1876 1877 7ff848d7c692 1847->1877 1865 7ff848d7c68c-7ff848d7c691 1848->1865 1866 7ff848d7c6d4-7ff848d7c6de 1848->1866 1864 7ff848d7c6f2 1851->1864 1857 7ff848d7c70b-7ff848d7c716 1852->1857 1858 7ff848d7c72a 1852->1858 1853->1834 1874 7ff848d7c6e4-7ff848d7c6e6 1854->1874 1875 7ff848d7c702 1854->1875 1857->1861 1871 7ff848d7c72b-7ff848d7c739 1858->1871 1872 7ff848d7c774-7ff848d7c77a 1858->1872 1868 7ff848d7c6ac-7ff848d7c6b1 1860->1868 1869 7ff848d7c6f4-7ff848d7c6f9 1860->1869 1882 7ff848d7c722 1861->1882 1878 7ff848d7c73c-7ff848d7c741 1864->1878 1879 7ff848d7c6f3 1864->1879 1865->1877 1866->1854 1884 7ff848d7c6b2 1868->1884 1871->1878 1894 7ff848d7c77c-7ff848d7c787 call 7ff848d79188 1872->1894 1874->1839 1881 7ff848d7c704-7ff848d7c709 1875->1881 1875->1882 1895 7ff848d7c67c-7ff848d7c681 1876->1895 1896 7ff848d7c69a 1876->1896 1883 7ff848d7c694-7ff848d7c698 1877->1883 1877->1884 1900 7ff848d7c742 1878->1900 1903 7ff848d7c7c0-7ff848d7c7c9 1878->1903 1879->1869 1881->1852 1899 7ff848d7c724-7ff848d7c726 1882->1899 1882->1900 1883->1896 1901 7ff848d7c6b4-7ff848d7c6bf 1884->1901 1902 7ff848d7c6d2 1884->1902 1888->1846 1893->1872 1908 7ff848d7c78c-7ff848d7c796 1894->1908 1895->1828 1896->1874 1898 7ff848d7c69c-7ff848d7c6a1 1896->1898 1898->1843 1899->1858 1900->1893 1907 7ff848d7c743-7ff848d7c74e 1900->1907 1901->1888 1902->1864 1902->1866 1913 7ff848d7c7d0-7ff848d7c7d7 1903->1913 1907->1844 1910 7ff848d7c798-7ff848d7c7a5 1908->1910 1912 7ff848d7c7b1-7ff848d7c7b9 1910->1912 1912->1903 1914 7ff848d7c7de-7ff848d7c7fd 1913->1914 1917 7ff848d7c7fe 1914->1917 1917->1917
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0,H
                                                                                                              • API String ID: 0-3640366367
                                                                                                              • Opcode ID: 0c59e80d46b2c55c9ac6d35de132a7ef601febbdb7d5224b741b39ea4716aa54
                                                                                                              • Instruction ID: ca5d5486749d77549e8383b459588e42deb39380c47bcbe32dd2fdafca36c8f2
                                                                                                              • Opcode Fuzzy Hash: 0c59e80d46b2c55c9ac6d35de132a7ef601febbdb7d5224b741b39ea4716aa54
                                                                                                              • Instruction Fuzzy Hash: 95B1F727E0E5965EF210BA3DB4972FD2B90DF912B5F085177D18CCB0A3EE08794E4299
                                                                                                              Function 00007FF848A63AA2 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1918 7ff848a63aa2-7ff848a680ef 1920 7ff848a680f6-7ff848a68150 SetProcessMitigationPolicy 1918->1920 1921 7ff848a68158-7ff848a68187 1920->1921 1922 7ff848a68152 1920->1922 1922->1921
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3969683544.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848a60000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: 823369b7b8beeff07b355a1bfa5705c741cf65ad5f457d4f3a5e19afefdaad35
                                                                                                              • Instruction ID: 3fc523725dbbc5c95027691eb787d153ed0e1788e8b40c120736968612a43120
                                                                                                              • Opcode Fuzzy Hash: 823369b7b8beeff07b355a1bfa5705c741cf65ad5f457d4f3a5e19afefdaad35
                                                                                                              • Instruction Fuzzy Hash: 8321D77191CB188FDB18AF9C9C4A6F97BE0EB55711F00412EE049D3251DB74B8458B92
                                                                                                              Function 00007FF848D7C530 Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2039 7ff848d7c530-7ff848d7c53a 2041 7ff848d7c53c-7ff848d7c541 2039->2041 2042 7ff848d7c584-7ff848d7c586 2039->2042 2044 7ff848d7c543-7ff848d7c56a 2041->2044 2045 7ff848d7c5c2 2041->2045 2046 7ff848d7c58a 2042->2046 2044->2046 2087 7ff848d7c56c-7ff848d7c581 2044->2087 2049 7ff848d7c5c4-7ff848d7c5c6 2045->2049 2050 7ff848d7c5e2 2045->2050 2047 7ff848d7c58c-7ff848d7c5a9 2046->2047 2048 7ff848d7c5aa 2046->2048 2047->2048 2054 7ff848d7c5ac-7ff848d7c5c1 2048->2054 2055 7ff848d7c5ca 2048->2055 2049->2055 2052 7ff848d7c5e4-7ff848d7c5e9 2050->2052 2053 7ff848d7c602 2050->2053 2057 7ff848d7c5ea 2052->2057 2058 7ff848d7c604-7ff848d7c606 2053->2058 2059 7ff848d7c622 2053->2059 2054->2045 2055->2057 2060 7ff848d7c5cc-7ff848d7c5de 2055->2060 2064 7ff848d7c5ec-7ff848d7c601 2057->2064 2065 7ff848d7c60a 2057->2065 2058->2065 2062 7ff848d7c624-7ff848d7c629 2059->2062 2063 7ff848d7c642 2059->2063 2060->2050 2068 7ff848d7c62a 2062->2068 2071 7ff848d7c643-7ff848d7c649 2063->2071 2072 7ff848d7c662 2063->2072 2064->2053 2067 7ff848d7c60c-7ff848d7c61e 2065->2067 2065->2068 2067->2059 2076 7ff848d7c62c-7ff848d7c641 2068->2076 2077 7ff848d7c64a 2068->2077 2071->2077 2080 7ff848d7c6c9 2071->2080 2073 7ff848d7c664-7ff848d7c669 2072->2073 2074 7ff848d7c682 2072->2074 2082 7ff848d7c66a 2073->2082 2088 7ff848d7c684-7ff848d7c687 2074->2088 2089 7ff848d7c6a2 2074->2089 2076->2063 2134 7ff848d7c6c1 2076->2134 2081 7ff848d7c64b-7ff848d7c65f 2077->2081 2077->2082 2084 7ff848d7c6cc-7ff848d7c6d1 2080->2084 2085 7ff848d7c6ea 2080->2085 2081->2072 2093 7ff848d7c66c-7ff848d7c672 2082->2093 2094 7ff848d7c68a 2082->2094 2090 7ff848d7c750-7ff848d7c75f 2084->2090 2097 7ff848d7c6ec-7ff848d7c6ee 2085->2097 2098 7ff848d7c70a 2085->2098 2087->2042 2088->2094 2091 7ff848d7c6a4-7ff848d7c6a8 2089->2091 2092 7ff848d7c6c2 2089->2092 2139 7ff848d7c762-7ff848d7c773 2090->2139 2106 7ff848d7c6aa 2091->2106 2107 7ff848d7c718-7ff848d7c71e 2091->2107 2099 7ff848d7c6c4-7ff848d7c6c6 2092->2099 2100 7ff848d7c6e2 2092->2100 2122 7ff848d7c674-7ff848d7c67a 2093->2122 2123 7ff848d7c692 2093->2123 2111 7ff848d7c68c-7ff848d7c691 2094->2111 2112 7ff848d7c6d4-7ff848d7c6de 2094->2112 2110 7ff848d7c6f2 2097->2110 2103 7ff848d7c70b-7ff848d7c716 2098->2103 2104 7ff848d7c72a 2098->2104 2099->2080 2120 7ff848d7c6e4-7ff848d7c6e6 2100->2120 2121 7ff848d7c702 2100->2121 2103->2107 2117 7ff848d7c72b-7ff848d7c739 2104->2117 2118 7ff848d7c774-7ff848d7c7a5 call 7ff848d79188 2104->2118 2114 7ff848d7c6ac-7ff848d7c6b1 2106->2114 2115 7ff848d7c6f4-7ff848d7c6f9 2106->2115 2128 7ff848d7c722 2107->2128 2124 7ff848d7c73c-7ff848d7c741 2110->2124 2125 7ff848d7c6f3 2110->2125 2111->2123 2112->2100 2130 7ff848d7c6b2 2114->2130 2117->2124 2158 7ff848d7c7b1-7ff848d7c7b9 2118->2158 2120->2085 2127 7ff848d7c704-7ff848d7c709 2121->2127 2121->2128 2141 7ff848d7c67c-7ff848d7c681 2122->2141 2142 7ff848d7c69a 2122->2142 2129 7ff848d7c694-7ff848d7c698 2123->2129 2123->2130 2146 7ff848d7c742 2124->2146 2149 7ff848d7c7c0-7ff848d7c7d7 2124->2149 2125->2115 2127->2098 2145 7ff848d7c724-7ff848d7c726 2128->2145 2128->2146 2129->2142 2147 7ff848d7c6b4-7ff848d7c6bf 2130->2147 2148 7ff848d7c6d2 2130->2148 2134->2092 2139->2118 2141->2074 2142->2120 2144 7ff848d7c69c-7ff848d7c6a1 2142->2144 2144->2089 2145->2104 2146->2139 2153 7ff848d7c743-7ff848d7c74e 2146->2153 2147->2134 2148->2110 2148->2112 2160 7ff848d7c7de-7ff848d7c7fd 2149->2160 2153->2090 2158->2149 2163 7ff848d7c7fe 2160->2163 2163->2163
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0,H
                                                                                                              • API String ID: 0-3640366367
                                                                                                              • Opcode ID: 2c0dbda6f5225e76622f00720c5e60a090423ba9f0d9d0c8694d22998f8bb445
                                                                                                              • Instruction ID: a2edf4cf93625ad39dd644691f967ea0e3878d5060e74ad7e8889b75a4abf3d7
                                                                                                              • Opcode Fuzzy Hash: 2c0dbda6f5225e76622f00720c5e60a090423ba9f0d9d0c8694d22998f8bb445
                                                                                                              • Instruction Fuzzy Hash: 08810A17E0E5966EE210BA7DB8961FD3B90DF852B4F084177D1CCCB0A3ED08794E4299
                                                                                                              Function 00007FF848D7C6FB Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0,H
                                                                                                              • API String ID: 0-3640366367
                                                                                                              • Opcode ID: 6ae15c9adbb0f3f2692c0f1dcb51f8ddbb9d4c1f9be475907c4c935c7957f28b
                                                                                                              • Instruction ID: 41388d083cc7c09b726753ba1dd4b4d902012e59c1109cdba232b686a5b6dd8d
                                                                                                              • Opcode Fuzzy Hash: 6ae15c9adbb0f3f2692c0f1dcb51f8ddbb9d4c1f9be475907c4c935c7957f28b
                                                                                                              • Instruction Fuzzy Hash: F831F922B0E9595FE344FA3CA8962F937D1EF55294B080077C04CC7197EE18A84A4355
                                                                                                              Function 00007FF848D84D01 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: H
                                                                                                              • API String ID: 0-2852464175
                                                                                                              • Opcode ID: 6e7aff937741fc35bc567e68b1e66f294f61b336d7b4a13c1f46b900a29f4f61
                                                                                                              • Instruction ID: 5e2e2e27042254e6bc9881a035f5df35b5f08df875ab7c4f2ddbc75ab1786776
                                                                                                              • Opcode Fuzzy Hash: 6e7aff937741fc35bc567e68b1e66f294f61b336d7b4a13c1f46b900a29f4f61
                                                                                                              • Instruction Fuzzy Hash: 2711483190E6C51FE35AB73894596F8BBD2DF86190B0845FAD089C7193DE2C9885C340
                                                                                                              Function 00007FF848D7B48A Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @*H
                                                                                                              • API String ID: 0-1553558910
                                                                                                              • Opcode ID: 490a6a2c2c5f1e4c219290b8454ee8bfea7d66fc45c074daf9599515ccf524a7
                                                                                                              • Instruction ID: 6a580da2f84875ed9c6c8f262bfd7e6099bedc4740c2cb8ab910b787d08b149a
                                                                                                              • Opcode Fuzzy Hash: 490a6a2c2c5f1e4c219290b8454ee8bfea7d66fc45c074daf9599515ccf524a7
                                                                                                              • Instruction Fuzzy Hash: FA01F121E1EDDB4FE698AA2CA4557B433D2FF54788F5880B9C00EC31CADE24AC064388
                                                                                                              Function 00007FF848D7DAEC Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PfH
                                                                                                              • API String ID: 0-3259816621
                                                                                                              • Opcode ID: 79fec23936afcbe787a857cece5388f620698c77fa1152adaeb924e817e83428
                                                                                                              • Instruction ID: fdcb8e4a26e651850f22084d882efbc27710875604821c298423d53534af2b19
                                                                                                              • Opcode Fuzzy Hash: 79fec23936afcbe787a857cece5388f620698c77fa1152adaeb924e817e83428
                                                                                                              • Instruction Fuzzy Hash: DD01E971D1992A8EDBA8EA2894997F8B3B1FB58345F5000FAC11DD3291DE3529C48B00
                                                                                                              Function 00007FF848D7000A Relevance: .7, Instructions: 725COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31ca3096008fa7826237a7ccc43ea6215fc55eed4c3678ebc3647891770f228d
                                                                                                              • Instruction ID: 21a2aa96937470a5bc11a5937bd0d6825f880b45bbc55eb503fdbdfb788ff639
                                                                                                              • Opcode Fuzzy Hash: 31ca3096008fa7826237a7ccc43ea6215fc55eed4c3678ebc3647891770f228d
                                                                                                              • Instruction Fuzzy Hash: F232B036A0EA858FEB89FE2CD4A16E437A0FF56354B1405FAD049CF193DA19E84AC744
                                                                                                              Function 00007FF848D703B2 Relevance: .7, Instructions: 661COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ba5dc9b63a91c29b18fd848e089db9bffef31e04c431ae696eb70d8e9ac1aba
                                                                                                              • Instruction ID: e68f947abeb5c7ea0621f589f253e132692a443c5182fffe08e41a08abc31373
                                                                                                              • Opcode Fuzzy Hash: 7ba5dc9b63a91c29b18fd848e089db9bffef31e04c431ae696eb70d8e9ac1aba
                                                                                                              • Instruction Fuzzy Hash: ED121671A0EA4A8FE799FAAC94557B537D1FF98390F0440BAD44DC72C3DE28AC4A8354
                                                                                                              Function 00007FF848D700F2 Relevance: .6, Instructions: 554COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c688621492b555e2898e0e187c973715668c93151bdf125b956bd041e6f3c0d7
                                                                                                              • Instruction ID: f2543bce624acfb4e842436db0af1dd6ce9b2f618474642ab91df6dfe08e0f07
                                                                                                              • Opcode Fuzzy Hash: c688621492b555e2898e0e187c973715668c93151bdf125b956bd041e6f3c0d7
                                                                                                              • Instruction Fuzzy Hash: 0E02BF39A0EA498FDB88FE2CD0A1AE473E1FF55358B2405BAD059CF187DA25E847C744
                                                                                                              Function 00007FF848D754FA Relevance: .4, Instructions: 446COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3742cf79fb68249170b047f79079a937c76552d4e92693abc59398fce40e0386
                                                                                                              • Instruction ID: 3db06ad782af9f65281272ea0de33c8031c0954df5b4dbeec55c41b1635a1d76
                                                                                                              • Opcode Fuzzy Hash: 3742cf79fb68249170b047f79079a937c76552d4e92693abc59398fce40e0386
                                                                                                              • Instruction Fuzzy Hash: 67E1703860DA498FDB88FE2CD0A1AA577E1FFA5344B2405ADD059CF297CA25E847CB44
                                                                                                              Function 00007FF848D75538 Relevance: .4, Instructions: 404COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dde29c5c22d2053b8ec65e5490ace1d3b60b6f255f261e123b90cee193fb3ab0
                                                                                                              • Instruction ID: cd91412476d47d1719921f49bc15f3b4510d5efdb19f44d049635fbab43b89bf
                                                                                                              • Opcode Fuzzy Hash: dde29c5c22d2053b8ec65e5490ace1d3b60b6f255f261e123b90cee193fb3ab0
                                                                                                              • Instruction Fuzzy Hash: A2D14F3860DA098FDB9CFF1CD0A1AA577E1FFA4344B2409ADD059CF297CA25E846CB44
                                                                                                              Function 00007FF848D7AFA8 Relevance: .3, Instructions: 345COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55f9cc169bba0706d4caa4584c22cac58aee5e1a2f89f72f4b6f2e71d29707de
                                                                                                              • Instruction ID: b4137e6c22f95b8e00961fb30d42853d4621274cdd2297e2035bb779071eb796
                                                                                                              • Opcode Fuzzy Hash: 55f9cc169bba0706d4caa4584c22cac58aee5e1a2f89f72f4b6f2e71d29707de
                                                                                                              • Instruction Fuzzy Hash: 3CB17130A1E95A8FEB98FB288455BB973E2FF98740F5400B8D40DD7296DF38AC458B45
                                                                                                              Function 00007FF848D72AB8 Relevance: .3, Instructions: 337COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93f22a8b6afe0932db75b94f621624955023783185411164adce28b1dae6077f
                                                                                                              • Instruction ID: 52bfede800176a22c3d764197b8bd59b2ebbfe414bd98782d7843f804b92e248
                                                                                                              • Opcode Fuzzy Hash: 93f22a8b6afe0932db75b94f621624955023783185411164adce28b1dae6077f
                                                                                                              • Instruction Fuzzy Hash: 77A12A31A0DA8A5FEB98FE289855AB537D1FFA4760F0401BDD44EC7286DF25EC068784
                                                                                                              Function 00007FF848D75AD9 Relevance: .3, Instructions: 320COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a6bb761ff61747dd467d1ac44a667fab6c056700c8e6c3f33dcd138b3934e84e
                                                                                                              • Instruction ID: 22142144a353b290cb0d3f698b2c812369aaa37ce7e608d4f587aa0de7769e69
                                                                                                              • Opcode Fuzzy Hash: a6bb761ff61747dd467d1ac44a667fab6c056700c8e6c3f33dcd138b3934e84e
                                                                                                              • Instruction Fuzzy Hash: F4915932D0EA4A5FE7A9F92894526B437E0EF55790F0401BED44EC7182EF14B84F8386
                                                                                                              Function 00007FF848D84F0A Relevance: .3, Instructions: 308COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab85ada1db443b3e77022e739d404dd852f0d83fa4f2ac746801c1016cfd0263
                                                                                                              • Instruction ID: 7f5e6b2e78a86d0c63cd145f3f41725d421bfcdab7b31733b15b64727b1fdde5
                                                                                                              • Opcode Fuzzy Hash: ab85ada1db443b3e77022e739d404dd852f0d83fa4f2ac746801c1016cfd0263
                                                                                                              • Instruction Fuzzy Hash: 98A1363190E78D8FD759FB2898056A97BF1FF86344F0501BED45DC7292CB25A80AC785
                                                                                                              Function 00007FF848D73EF5 Relevance: .3, Instructions: 285COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d7366d765a0b89bee1853f9fd50fe1e1cc861c493eecec47b723e7a172d2703
                                                                                                              • Instruction ID: af02cab59d4646e9860eecc9196f2b8b8b73208de8c65b41ed77c946148f5e20
                                                                                                              • Opcode Fuzzy Hash: 8d7366d765a0b89bee1853f9fd50fe1e1cc861c493eecec47b723e7a172d2703
                                                                                                              • Instruction Fuzzy Hash: 5991543460DA4A8FDBCDEF28C495BA177E2FF99344B2445F9C059CB68BCA25E846C740
                                                                                                              Function 00007FF848D76C2C Relevance: .3, Instructions: 270COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf0ccc1d0893a86a110cf9f9d309e6b612fc9f8e1196cc83328a18771fbf4dad
                                                                                                              • Instruction ID: 228267da8e1ae30876b0ac6b092c8f8a5c687ac946e2f894774fe53aad4b9e4e
                                                                                                              • Opcode Fuzzy Hash: cf0ccc1d0893a86a110cf9f9d309e6b612fc9f8e1196cc83328a18771fbf4dad
                                                                                                              • Instruction Fuzzy Hash: 99911431E1FA8B4FEBA9FA2868517B477D1FF54780F1404BDC44E871C6EF28A8098649
                                                                                                              Function 00007FF848D76BB2 Relevance: .3, Instructions: 255COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 140725a5014798f80f1f1dfb193f158f63d053441afd4db78fe11c5688cdb18e
                                                                                                              • Instruction ID: 937314c5ae68f32a91e2725c2745636d085b371f235ae66db8593b6005232413
                                                                                                              • Opcode Fuzzy Hash: 140725a5014798f80f1f1dfb193f158f63d053441afd4db78fe11c5688cdb18e
                                                                                                              • Instruction Fuzzy Hash: CD81A330E0FA4B8FF7A9B62984617B966D2EF94380F550878D04ED71C6DF28B8098359
                                                                                                              Function 00007FF848D70636 Relevance: .2, Instructions: 237COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 393133f3a2896fa292a36ed09fb86504ccc3c383ed60c48a58d6ed7e848ef1fd
                                                                                                              • Instruction ID: 9d1b2e2e846c5bf553809276d624b7fad873e28ff3559908fe966e0b02d00664
                                                                                                              • Opcode Fuzzy Hash: 393133f3a2896fa292a36ed09fb86504ccc3c383ed60c48a58d6ed7e848ef1fd
                                                                                                              • Instruction Fuzzy Hash: 83711D7062DA0A8FEBA8FB98C495BA533D1FF68351F504078E54EC72D2DE64EC498744
                                                                                                              Function 00007FF848D7127F Relevance: .2, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0a814cbce6cf51a07281ddab06f7ffb18f41ec0cdd0234461e9464aa21fc30b
                                                                                                              • Instruction ID: b55d891adbc3815e5143a777bb8caeb526b32b281f44729a0c1f705e4454811c
                                                                                                              • Opcode Fuzzy Hash: a0a814cbce6cf51a07281ddab06f7ffb18f41ec0cdd0234461e9464aa21fc30b
                                                                                                              • Instruction Fuzzy Hash: DA61F53290D6598FDB15FF28E8966F97BB0FF16314F04027BD089C3152EB25A84ACB95
                                                                                                              Function 00007FF848D85CDD Relevance: .2, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c6d82eda19230c95fbbf62ac97ba52fbfd86594208daef9e3f6acc1c68f8fcc
                                                                                                              • Instruction ID: 02197b2e9d414fe0ba606ae072e163621010325cd6fa3d9f23467d987fc5cb08
                                                                                                              • Opcode Fuzzy Hash: 6c6d82eda19230c95fbbf62ac97ba52fbfd86594208daef9e3f6acc1c68f8fcc
                                                                                                              • Instruction Fuzzy Hash: F5516D32D0EE8A8FEB66BB686C562A97BF1FF94390F04017AD41DC3192DF2468098745
                                                                                                              Function 00007FF848D76E06 Relevance: .2, Instructions: 202COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c47d6b341e048047a79364ba0dd3a83575b9d7fa7a0f2be99d5d0106cbfb3d40
                                                                                                              • Instruction ID: 94379207d2eaadb0b4a9d7d661f3dc4262b2041bea9a04ec3208a31255348c3d
                                                                                                              • Opcode Fuzzy Hash: c47d6b341e048047a79364ba0dd3a83575b9d7fa7a0f2be99d5d0106cbfb3d40
                                                                                                              • Instruction Fuzzy Hash: 04513321E0E98A4FEBA8FA2894057B473D1FF54780F1444BEC44EC71C6EF28A84A8745
                                                                                                              Function 00007FF848D76EC0 Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ea788a5381ee1336435d0309666b69ca32650ed7a0f0ae2d1a861ed6e495e8f1
                                                                                                              • Instruction ID: 3c65a842425e6eadf0c9739d67501016d4fce1abf4e96b64aa5bf0d1a306dc04
                                                                                                              • Opcode Fuzzy Hash: ea788a5381ee1336435d0309666b69ca32650ed7a0f0ae2d1a861ed6e495e8f1
                                                                                                              • Instruction Fuzzy Hash: 91514321E0E9864FEBA8FA3894557B473E1FF54780F1444BED44EC71C6EF28A84A8745
                                                                                                              Function 00007FF848D79225 Relevance: .2, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4729e6a3894b99505d0d87ef4a104cd562709a239806a0ed020860e1a1235076
                                                                                                              • Instruction ID: bc904e50ff0a3c197800bf3ba5c884bdbad578df4d40274b49731ff1ba29755f
                                                                                                              • Opcode Fuzzy Hash: 4729e6a3894b99505d0d87ef4a104cd562709a239806a0ed020860e1a1235076
                                                                                                              • Instruction Fuzzy Hash: BD51F472E0DA8A5FE796EA3858693B83BD1EF98740F5400B9C04CD32D6DF29A8468705
                                                                                                              Function 00007FF848D846FD Relevance: .1, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f73a755ec3cce8e5af581012d3a404a1c95fe979957bd5dca1d996fd21de2bb9
                                                                                                              • Instruction ID: 434bcdc2e63b913dce9c783689128b7aa27597c45c99387c758473bfafe6abf1
                                                                                                              • Opcode Fuzzy Hash: f73a755ec3cce8e5af581012d3a404a1c95fe979957bd5dca1d996fd21de2bb9
                                                                                                              • Instruction Fuzzy Hash: DC410671A1DA0D8FEB94FB6898896B877E2FF69351F04017AD01DD3282DF25A8068785
                                                                                                              Function 00007FF848D7D879 Relevance: .1, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 324d10afb3a2c0d0f6a8b5fef0c338f9d0a909cf66ad71465420b5b3cc814457
                                                                                                              • Instruction ID: e794ba30036c8833876524c593cc7f7f5a7ed8811ba6115994ab49772136ba9a
                                                                                                              • Opcode Fuzzy Hash: 324d10afb3a2c0d0f6a8b5fef0c338f9d0a909cf66ad71465420b5b3cc814457
                                                                                                              • Instruction Fuzzy Hash: C251C631D0E54A8FE7A4FB28C4597A837E0EF59340F4441BAD44DD72E2DF28A9888744
                                                                                                              Function 00007FF848D760E9 Relevance: .1, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 622c0d7b2c84d67c0258f7403ee58147c6fbfe009c42eefc045f5e21b6669aee
                                                                                                              • Instruction ID: e397a12c4163dbaf57f051ad80c6f4a132eed28dc7b68c4724eefab40488a8e0
                                                                                                              • Opcode Fuzzy Hash: 622c0d7b2c84d67c0258f7403ee58147c6fbfe009c42eefc045f5e21b6669aee
                                                                                                              • Instruction Fuzzy Hash: 56416570A0DA898FDB88EF28D8A4A6537E1FF59314F1405ADD81EC72D2DB35E856CB04
                                                                                                              Function 00007FF848D74461 Relevance: .1, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a24ecc639de5dd7fa5c34267cdb630012fa9810bacecab2f1dccbfd3ec784d9a
                                                                                                              • Instruction ID: 656d59dcdfb2d0486ddedce6510c56f58f4fb3dcb7008a2b4aae11d1f77a1866
                                                                                                              • Opcode Fuzzy Hash: a24ecc639de5dd7fa5c34267cdb630012fa9810bacecab2f1dccbfd3ec784d9a
                                                                                                              • Instruction Fuzzy Hash: D931FA22F0ED895FEB99F93C54957B423D2EFA9390F4401BAC00DD7287DE599C4A9341
                                                                                                              Function 00007FF848D7BBA5 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5b05ba4a2d676802549be018e9840b7127a8d4bf0a1dbacc4d533d59f6d64ec
                                                                                                              • Instruction ID: 8e24f91db2cde02bece076e4d49249fbe39bd563c9baa5740f80c7abcacd0abb
                                                                                                              • Opcode Fuzzy Hash: b5b05ba4a2d676802549be018e9840b7127a8d4bf0a1dbacc4d533d59f6d64ec
                                                                                                              • Instruction Fuzzy Hash: 91310331B1EA0A4FE785FA3C94556B9B3D1EF98390F54097AD40DC3296DE24E8868781
                                                                                                              Function 00007FF848D84BFA Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad814c26788e355e1547edde5e4f00e6e20f46e362c61d2443f6dbb2695facf3
                                                                                                              • Instruction ID: db158a88f7a43cbca88bfbf4efb737c64148bb67b1f39d69bb1de4550901e035
                                                                                                              • Opcode Fuzzy Hash: ad814c26788e355e1547edde5e4f00e6e20f46e362c61d2443f6dbb2695facf3
                                                                                                              • Instruction Fuzzy Hash: 28317872C0E6C61EE244FA7CA8161F827A1EF12698B080677D09CCB093FE19EA458384
                                                                                                              Function 00007FF848D75D48 Relevance: .1, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5459f91eae9d377d02a0acee2e41761790389a31b5f16c62a324ce3f6f6529d7
                                                                                                              • Instruction ID: 2f7035972aed60d05522246b3e0b2565094dcd33c36f658ff0cec78e2ecd4d4c
                                                                                                              • Opcode Fuzzy Hash: 5459f91eae9d377d02a0acee2e41761790389a31b5f16c62a324ce3f6f6529d7
                                                                                                              • Instruction Fuzzy Hash: AA310C32A0DA4A5FEF48FE28A4439F533E0EF50390F40413AD84E83587DE19F95A8786
                                                                                                              Function 00007FF848D861E9 Relevance: .1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c487d81e7722709393eb5cb9d4bbb6100b542c7ae7065de1d60a13214946aee9
                                                                                                              • Instruction ID: dbebb4225426c14d08014e3b5dade06cc745c58c0703f3af78a0279fd4ad82a2
                                                                                                              • Opcode Fuzzy Hash: c487d81e7722709393eb5cb9d4bbb6100b542c7ae7065de1d60a13214946aee9
                                                                                                              • Instruction Fuzzy Hash: BC31FB32E4E9894FDB95A7687C253FC3B90EF55361F0504FAD41CD7192DF1998088346
                                                                                                              Function 00007FF848D7D93B Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cd90a0bb533516730135e67a324c607aa398a67ec308562ee703b8b3f6d5da84
                                                                                                              • Instruction ID: 09c976b5ffc5347767fcb0ecac0497137870efe2053717c056771a89f94c8048
                                                                                                              • Opcode Fuzzy Hash: cd90a0bb533516730135e67a324c607aa398a67ec308562ee703b8b3f6d5da84
                                                                                                              • Instruction Fuzzy Hash: 49316E719099598FEBA4EF28D4597A877E1FB68300F4440BAD44DE76A2CF34AE848B04
                                                                                                              Function 00007FF848D77917 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4362c69f54d0f6db06f6f63a6bb645747151b923ef6173a5e2527262357281cb
                                                                                                              • Instruction ID: 5e3d4d3310e20c193f1ffbecc8888a03cf7e456a08d203c14b104f18bcbbf7eb
                                                                                                              • Opcode Fuzzy Hash: 4362c69f54d0f6db06f6f63a6bb645747151b923ef6173a5e2527262357281cb
                                                                                                              • Instruction Fuzzy Hash: 8A318F30E0FA178EFBA9F62580527BD22D2AF94385F540838D04ED31C6DF2CB94A8659
                                                                                                              Function 00007FF848D85E9A Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a74ba653c9f8b8fccced98b18343936de415091dda2217181c9cac1a9459f8d3
                                                                                                              • Instruction ID: b6f13429aec80dc6f0932a7836e298325aff49a23ba44fa64f6bcf29b0336843
                                                                                                              • Opcode Fuzzy Hash: a74ba653c9f8b8fccced98b18343936de415091dda2217181c9cac1a9459f8d3
                                                                                                              • Instruction Fuzzy Hash: 3021283191EA894FE766AB398C551A57BF1FF85354F0402BBD099C7192DF28A806C351
                                                                                                              Function 00007FF848D84FCA Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ac7a17198ef5fdd6cb37d7becca01fe6416b5f87534004b636f08842c53ecd0
                                                                                                              • Instruction ID: d0073f12c2a4b039dbf08340794fe13e326b30cb6af10bfd797397946a2b747b
                                                                                                              • Opcode Fuzzy Hash: 6ac7a17198ef5fdd6cb37d7becca01fe6416b5f87534004b636f08842c53ecd0
                                                                                                              • Instruction Fuzzy Hash: 5D218D7090D64E8FDB58EF24C841AA8B7A1FF99305F104279D01DC7282DB35A84ACB84
                                                                                                              Function 00007FF848D77F95 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc581f5e729289095cd1e98ac18079eddec4ff26b266c154871318a7114e7322
                                                                                                              • Instruction ID: 2367375ed6152fd53824023678c392f48236822bbb8788302123c0b2428ece48
                                                                                                              • Opcode Fuzzy Hash: dc581f5e729289095cd1e98ac18079eddec4ff26b266c154871318a7114e7322
                                                                                                              • Instruction Fuzzy Hash: 1521F520A0E9568FE795B7688460B79A7D2EF89390F5440BAC44DC72E3CF5CAC099359
                                                                                                              Function 00007FF848D7D915 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 838297ab2ecdedcb42fdd1e04ec1595386024f7b6d234da0a1cc6555b3209cc0
                                                                                                              • Instruction ID: ede0ddc8797ec93a6609d5b0aabc99e48d3ace8f4dcc5d84d32ea88704d4cbd3
                                                                                                              • Opcode Fuzzy Hash: 838297ab2ecdedcb42fdd1e04ec1595386024f7b6d234da0a1cc6555b3209cc0
                                                                                                              • Instruction Fuzzy Hash: 2D212D719099598FDBA4FB28D4A9BA877F1FF68300F4441EAD44DD72A2DE34A9858B00
                                                                                                              Function 00007FF848D7B524 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad2c374148d4e6728f9c51475c6b823de75ab2039e62745d11ed6bf27da9c465
                                                                                                              • Instruction ID: fe3194cd0b87847583e7c12b74f3614e49df26e78ac1e54a503b3d19bd3d1bfb
                                                                                                              • Opcode Fuzzy Hash: ad2c374148d4e6728f9c51475c6b823de75ab2039e62745d11ed6bf27da9c465
                                                                                                              • Instruction Fuzzy Hash: B911B276A0E19A4EE70DBA18E8562F83780EF853A4F04047ED15D87593EE26741B8689
                                                                                                              Function 00007FF848D75E30 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7babb36606098b5b46cf0a0c96ebfc4c8267828ecf27fd472bab43cc8f2cb4f3
                                                                                                              • Instruction ID: c6ddf22c84480919a27ad624ec2d4967bb9b3216d2d2d5fb946524de08e22ab5
                                                                                                              • Opcode Fuzzy Hash: 7babb36606098b5b46cf0a0c96ebfc4c8267828ecf27fd472bab43cc8f2cb4f3
                                                                                                              • Instruction Fuzzy Hash: A8113811D1EE8A4FF785BB6824966A47BA1EF55290F1441F9C008C719BDD388C8A8352
                                                                                                              Function 00007FF848D729C3 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f76e3eaf300c1516b81cbf703151e1c28d9990f0489870a2e24636d1345bc3f0
                                                                                                              • Instruction ID: ae32ada2e34729303d7e4da45f7bf390bfcc67dbf805684d0fcefaa8e5f7f46a
                                                                                                              • Opcode Fuzzy Hash: f76e3eaf300c1516b81cbf703151e1c28d9990f0489870a2e24636d1345bc3f0
                                                                                                              • Instruction Fuzzy Hash: 6A21D571E0EA8A9FE759EF28C855A7977D2FF58700B0801BEC44ED7296CF25AC068741
                                                                                                              Function 00007FF848D75F7D Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0e650bc8ad8883b86cc7521aec8b5a869021708330171da3c663720fe7400092
                                                                                                              • Instruction ID: 63003bb5f07fd8ba32c2f8eb12f77fe6d878fdd1a72c02730472a704070087b8
                                                                                                              • Opcode Fuzzy Hash: 0e650bc8ad8883b86cc7521aec8b5a869021708330171da3c663720fe7400092
                                                                                                              • Instruction Fuzzy Hash: F211B171E0DF498FEB85BF646CA56A87FB0FF65340F0501AAD049E3292DF246409C746
                                                                                                              Function 00007FF848D72C1C Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d483b7971e07fde4cfa90c786c1cf90005e59b7377fff9a7a42ca3245300f470
                                                                                                              • Instruction ID: 0b8221d113d309bf1b090e8803cc7bb189056f69d21e63b1b7619e24ad743c13
                                                                                                              • Opcode Fuzzy Hash: d483b7971e07fde4cfa90c786c1cf90005e59b7377fff9a7a42ca3245300f470
                                                                                                              • Instruction Fuzzy Hash: 61118131A0D9869FDB88FF288451B657791FF68340F1441B8C44ECB296CF24E84A8785
                                                                                                              Function 00007FF848D72C85 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ea6b1df49d4bacd089b6073fcb10cf36a95849d3449254c1e1517f6af93900f2
                                                                                                              • Instruction ID: 54b324967f292a229ae9062b24387c326ad9fb25d7b486c0c32f01c636094d5c
                                                                                                              • Opcode Fuzzy Hash: ea6b1df49d4bacd089b6073fcb10cf36a95849d3449254c1e1517f6af93900f2
                                                                                                              • Instruction Fuzzy Hash: A4116031A0998A9FDB88FF28C455B6577E1FF68340F1441B8C44EDB297CF25E84A8785
                                                                                                              Function 00007FF848D710A8 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3f3d5bb056ba54bd6727ead712c9144bb822f92b2353faaee70419c54d3564b3
                                                                                                              • Instruction ID: 65591e283f1d74cdbb0469c6379b6101136c75e455100225984f683a33262b3c
                                                                                                              • Opcode Fuzzy Hash: 3f3d5bb056ba54bd6727ead712c9144bb822f92b2353faaee70419c54d3564b3
                                                                                                              • Instruction Fuzzy Hash: 96012821E2ED4B1EFB98BA6C2496BBA17A1EF98284F5040B5D40DC728ADD3CDC854352
                                                                                                              Function 00007FF848D74E59 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d6d22d8c864db07c26e19f2510d409637983b57613d5048ab35466583bf532af
                                                                                                              • Instruction ID: 0b533fa7d07d00f2223f3ec29e525a0561deb8f5c2045aa35b9f17c9c7ea4451
                                                                                                              • Opcode Fuzzy Hash: d6d22d8c864db07c26e19f2510d409637983b57613d5048ab35466583bf532af
                                                                                                              • Instruction Fuzzy Hash: 2B11061590EB434EF76AB32884A13796AE2EF81390F1980BAC449C71D6DE6C9CC98305
                                                                                                              Function 00007FF848D7CE0D Relevance: .0, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7f0cea57698fd2f417e7c0ccd60400e8e2d8b850d33f6f4e7c445fffed0038e
                                                                                                              • Instruction ID: fda7fd0d17611cfb409b026d56fe53990efe4e60e80d3402dd3c703d903018b3
                                                                                                              • Opcode Fuzzy Hash: a7f0cea57698fd2f417e7c0ccd60400e8e2d8b850d33f6f4e7c445fffed0038e
                                                                                                              • Instruction Fuzzy Hash: D6116D74909A5C8FDB59EF18C8997A9B7F0FB94301F0006AEC44AE3250CF311985DF45
                                                                                                              Function 00007FF848D712FB Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 981d3a76c666ad8243ed91ba6e149c32a5bf54052e88a7416f9a52f31d41d237
                                                                                                              • Instruction ID: f5c886b5c3e167fd4994872dd3fe896a7d65f85581d6857dd4a78e869ed38569
                                                                                                              • Opcode Fuzzy Hash: 981d3a76c666ad8243ed91ba6e149c32a5bf54052e88a7416f9a52f31d41d237
                                                                                                              • Instruction Fuzzy Hash: 4DF0283290E6599FDB01FB3CE4519EABBA0EF06358B0501B7D08DC7062EB35584DC795
                                                                                                              Function 00007FF848D7DCA0 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 87a9d23f0b24b11c1f6cc73af043a86cf9cd54cf20af7e67c2f6b6ad6e9cae83
                                                                                                              • Instruction ID: e960c8c5784e7425722ddd854a99f0684f96db3e20b0857ec1bd8f45f5bddb59
                                                                                                              • Opcode Fuzzy Hash: 87a9d23f0b24b11c1f6cc73af043a86cf9cd54cf20af7e67c2f6b6ad6e9cae83
                                                                                                              • Instruction Fuzzy Hash: E8E09BB114E50C6EA61CAA55AC079F7379CE747134F00111FE18E85002F552B52382A5
                                                                                                              Function 00007FF848D83BCA Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f4b5df0ce099d4fc228036775573da61baa259a82225c7db03b32f9f36b3f449
                                                                                                              • Instruction ID: 45fa555aaa20ccc3f8133f530ab950f806b49998367d4266fd6b45e09bd8fa33
                                                                                                              • Opcode Fuzzy Hash: f4b5df0ce099d4fc228036775573da61baa259a82225c7db03b32f9f36b3f449
                                                                                                              • Instruction Fuzzy Hash: C7F0B452B0E98A4EE39AE92CA8262743AD1DB54250B5850FAC01DC71A3CD149C098304
                                                                                                              Function 00007FF848D743F9 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9d744617331e02aefa90ca2a6b9adfc2af306b86157cc4971de7b5571ad33a0
                                                                                                              • Instruction ID: b015ecb18c7d1a710368b1383b8675e530777fb19dfeaa10d4025ee48b152af4
                                                                                                              • Opcode Fuzzy Hash: f9d744617331e02aefa90ca2a6b9adfc2af306b86157cc4971de7b5571ad33a0
                                                                                                              • Instruction Fuzzy Hash: B4F0623191D7C98FD71A7F3488661A97FB1FF45240F5800FAE449C71A3DE689949C781
                                                                                                              Function 00007FF848D73E99 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7099ae29857825af5d3d362aa32c457d0e4ea1c0321bbb25e95dbe717416c45b
                                                                                                              • Instruction ID: c01767b5a9cd09e894a06c781bdab751bfd4ca85795155d97ad782426cdd8d6a
                                                                                                              • Opcode Fuzzy Hash: 7099ae29857825af5d3d362aa32c457d0e4ea1c0321bbb25e95dbe717416c45b
                                                                                                              • Instruction Fuzzy Hash: 59F0653540D69C9FDF46EB78E4518E57F70FE16321B0501C7E049CB053D7219A59CB82
                                                                                                              Function 00007FF848D709B1 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2e3345d76d1e630ca3d5476c4dcd86ff5d84e8573c39663e28a73c7e5254092c
                                                                                                              • Instruction ID: a1905dfb0f060e568fe2e8d3ccab3aea38c9b23f41aef7081b3fba2485fcea6e
                                                                                                              • Opcode Fuzzy Hash: 2e3345d76d1e630ca3d5476c4dcd86ff5d84e8573c39663e28a73c7e5254092c
                                                                                                              • Instruction Fuzzy Hash: F0E0926190F3C40FD756AB7488688E13F60AE1322030901EBD4818F0B3E6158949C746
                                                                                                              Function 00007FF848D74E70 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d09286f0ee9acf924005ba04917945deb061a20864f8d4bd52e7662e6abecb9
                                                                                                              • Instruction ID: 2328438cd608a03a73b75d3d76e121f0824a7d147fad69f68751aca82bc4a346
                                                                                                              • Opcode Fuzzy Hash: 8d09286f0ee9acf924005ba04917945deb061a20864f8d4bd52e7662e6abecb9
                                                                                                              • Instruction Fuzzy Hash: C4E0C21A94FA134AFB6C7135B8923BAA0C28F443A0F4980BED41DC20C9CE9C9CC4819A
                                                                                                              Function 00007FF848D85C1A Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32a0b08f1ffd402ab33306fb9b146b76bf602934a80b4ab3389d0c521176af3b
                                                                                                              • Instruction ID: 5164043ba5baf1d1f7b946cf614fd07a7662032715f10b7597970e42bc449825
                                                                                                              • Opcode Fuzzy Hash: 32a0b08f1ffd402ab33306fb9b146b76bf602934a80b4ab3389d0c521176af3b
                                                                                                              • Instruction Fuzzy Hash: 83D09E01B6DC5E0ED594B66C34462B842D2F798A94F8808F6D51DD728AED485C860385
                                                                                                              Function 00007FF848D7BF39 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5a0cc065971611f1718dc4d1cc9945da2beec5d54baddefebc73ee07c9e2506d
                                                                                                              • Instruction ID: f4d27984517fd96cb49e96dc21efd5c49176bb760fc53e067b44db9abc20090d
                                                                                                              • Opcode Fuzzy Hash: 5a0cc065971611f1718dc4d1cc9945da2beec5d54baddefebc73ee07c9e2506d
                                                                                                              • Instruction Fuzzy Hash: FAE0127151DE4A4FE784EB0CD4929A9F7D0FB98398F50067EE08DD22A0DB69D5808706
                                                                                                              Function 00007FF848D72D24 Relevance: .0, Instructions: 8COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3bd8fd20732132751098937855ac402d4c90272097099b27e4986f23516dbaa1
                                                                                                              • Instruction ID: 3b9208a94f4246d0b48e6c6f66b284160ca8ba17b90a8612d75e24fd2b8cbc1c
                                                                                                              • Opcode Fuzzy Hash: 3bd8fd20732132751098937855ac402d4c90272097099b27e4986f23516dbaa1
                                                                                                              • Instruction Fuzzy Hash: A6C09214E1EA8A5FF249FF2884422BE21936F98280F948435E08E9219ACF7CA512565E

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF848D78F08 Relevance: 6.6, Strings: 5, Instructions: 365COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: 6c9225343f6af08176207f312b2f698390d56f307447b078dd491e2449cbd9ae
                                                                                                              • Instruction ID: 827f9955a66b082c6e8b95ffc1c9ea107eeb0a55232d5f41a11fd516d598f2c4
                                                                                                              • Opcode Fuzzy Hash: 6c9225343f6af08176207f312b2f698390d56f307447b078dd491e2449cbd9ae
                                                                                                              • Instruction Fuzzy Hash: C4B11953D0F5C66FE317A63C685A6F92F90EF426A4F0901F7D4884B19BEE1C190E8359
                                                                                                              Function 00007FF848D78DE0 Relevance: 10.1, Strings: 8, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 8/H$H<H$HMH$XMH$hJH$hMH$x<H$xJH
                                                                                                              • API String ID: 0-2603053521
                                                                                                              • Opcode ID: b2b45a1b8924115db06f82db0a11be6bd65e3972614623ad5901bfc6b4cae88e
                                                                                                              • Instruction ID: e63b800685592e1038c9cc8cef5972ffb40b53af149091965ff4170a92934c72
                                                                                                              • Opcode Fuzzy Hash: b2b45a1b8924115db06f82db0a11be6bd65e3972614623ad5901bfc6b4cae88e
                                                                                                              • Instruction Fuzzy Hash: E8419852C0F6C15FE716F67C582A2B96F60AF52694B5800FFD0C84B097EA0A590D935E
                                                                                                              Function 00007FF848D78F18 Relevance: 6.6, Strings: 5, Instructions: 342COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: a0a50165d9c21ba3f0ea6012b9a233bb03458755ab0a83d83fd2fb3a00a847d8
                                                                                                              • Instruction ID: 05b08108f4090051ad31f26a0e1509fae327d66e2aed8eb39b034c11237040f0
                                                                                                              • Opcode Fuzzy Hash: a0a50165d9c21ba3f0ea6012b9a233bb03458755ab0a83d83fd2fb3a00a847d8
                                                                                                              • Instruction Fuzzy Hash: DCB12853D0F5C66FE317AA3C685A6F96F90EF42694F0901F7D4884B19BEE1C190E8349
                                                                                                              Function 00007FF848D78F28 Relevance: 6.6, Strings: 5, Instructions: 332COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: 1e4388bdd9e597ebcb63e431c8138db3391c66783404a6108cc6383ef6355f23
                                                                                                              • Instruction ID: 11e8b074d5177e88cf28c8ff1fe13a8212d2ba9b557091c200b17b6ef94e971c
                                                                                                              • Opcode Fuzzy Hash: 1e4388bdd9e597ebcb63e431c8138db3391c66783404a6108cc6383ef6355f23
                                                                                                              • Instruction Fuzzy Hash: 41B11853D0F5C66FE317AA3C685A6F92F90EF42694F0901F7D4884B19BEE1C190E8349
                                                                                                              Function 00007FF848D78F38 Relevance: 6.6, Strings: 5, Instructions: 328COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: d2f49678c0c7a30ecfbd3609e2df309ae96320f63f5cf56621cc332378cd73ba
                                                                                                              • Instruction ID: 1db65555e413289fcc75e7e48ce02dff52d89095ec244d165149f3107129209c
                                                                                                              • Opcode Fuzzy Hash: d2f49678c0c7a30ecfbd3609e2df309ae96320f63f5cf56621cc332378cd73ba
                                                                                                              • Instruction Fuzzy Hash: 83A10853D0F5C66FE317A63C685A6F96F90EF42694F0901F7D4884B19BEE1C190E8349
                                                                                                              Function 00007FF848D78F48 Relevance: 6.6, Strings: 5, Instructions: 320COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: f64c7f0773293469334b04c22f1530f0da656e770124c450bfdd94f8cc20ddb0
                                                                                                              • Instruction ID: d12d2716f8e24f2ec11bb98e7abb9a93b283e8e1951fd3fe3f36a5fdf8bae2f2
                                                                                                              • Opcode Fuzzy Hash: f64c7f0773293469334b04c22f1530f0da656e770124c450bfdd94f8cc20ddb0
                                                                                                              • Instruction Fuzzy Hash: 7FA10853D0F5C66FE317AA3C685A6F96F90EF42694F0901FBD4884B19BEE1C190D8349
                                                                                                              Function 00007FF848D78F58 Relevance: 6.6, Strings: 5, Instructions: 316COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: b0846e46a12e522a64eb345001833e76a666411a75a2435fe6b8fc333789b6b6
                                                                                                              • Instruction ID: c707a03d9b20ec8397d8c19739029ffb13e1cfce1f7a69a2d43a6b1398052b02
                                                                                                              • Opcode Fuzzy Hash: b0846e46a12e522a64eb345001833e76a666411a75a2435fe6b8fc333789b6b6
                                                                                                              • Instruction Fuzzy Hash: B8A11753D0F5C66FE317AA3C681A6F96F90EF42694F0901FBD4884B19BEE1C190E8349
                                                                                                              Function 00007FF848D78F68 Relevance: 6.6, Strings: 5, Instructions: 308COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: 76f7196cab81b46811f62aa7b19cb60309783901b2e7d127926017f5c566a786
                                                                                                              • Instruction ID: 974a528303e7d0027002bebc91769d8a9eeb079d8302bb0c36ffa9cb09fae077
                                                                                                              • Opcode Fuzzy Hash: 76f7196cab81b46811f62aa7b19cb60309783901b2e7d127926017f5c566a786
                                                                                                              • Instruction Fuzzy Hash: BBA1F653D0F5C66FE357AA3C681A6F96FA0EF42694F0901FBD4884B19BEE1C190D8349
                                                                                                              Function 00007FF848D78F78 Relevance: 6.6, Strings: 5, Instructions: 300COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: 17313ab0638ad504e096ff9b1023aebc82f473fa40e566920671710386f868bf
                                                                                                              • Instruction ID: af5c0ebe0ad7d79e061471bb3ec29ada9aa3bff534e184bbbcefd57c1cf4905c
                                                                                                              • Opcode Fuzzy Hash: 17313ab0638ad504e096ff9b1023aebc82f473fa40e566920671710386f868bf
                                                                                                              • Instruction Fuzzy Hash: 17A1E653D0F5C66FE357AA3C681A6F96F90EF42694F0901FBD4884B19BEE1C190D8349
                                                                                                              Function 00007FF848D78F88 Relevance: 6.5, Strings: 5, Instructions: 297COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: ae02860284d0619c1c3e4da76250ceadbbf76c054ca9639dc0bf97e6927cba97
                                                                                                              • Instruction ID: d548b1e9c1279dc86c0ac23d19cefc339a4c0e1bf2a1efaf6618107ddcc3fe6a
                                                                                                              • Opcode Fuzzy Hash: ae02860284d0619c1c3e4da76250ceadbbf76c054ca9639dc0bf97e6927cba97
                                                                                                              • Instruction Fuzzy Hash: 1D91E753D0F5C66FE357AA3C681A6B96FA0EF42694F0901FBD4884B19BEE1C190D8349
                                                                                                              Function 00007FF848D78F98 Relevance: 6.5, Strings: 5, Instructions: 292COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.3977555029.00007FF848D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_7ff848d70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HMH$XMH$hJH$hMH$xJH
                                                                                                              • API String ID: 0-668278880
                                                                                                              • Opcode ID: 6193ff6c6fb9d922ae5914a3cbe24025621c0bdfa15c3ed65fbbc581ee10f12f
                                                                                                              • Instruction ID: 1f069ec58ee35c65b52565a896cb62a60455ca78a1cf95eb1d52640abf4d2aa1
                                                                                                              • Opcode Fuzzy Hash: 6193ff6c6fb9d922ae5914a3cbe24025621c0bdfa15c3ed65fbbc581ee10f12f
                                                                                                              • Instruction Fuzzy Hash: 5091F853D0F5C66FE357AA3C681A6B96FA0EF42694F0901FBD4884B19BEA1C190D8349

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:13.7%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:16
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 15711 7ff848d88e04 15712 7ff848d88e0d 15711->15712 15713 7ff848d88fa9 GlobalMemoryStatusEx 15712->15713 15715 7ff848d88f08 15712->15715 15714 7ff848d88fd5 15713->15714 15702 7ff848a78014 15703 7ff848a7801d 15702->15703 15704 7ff848a78082 15703->15704 15705 7ff848a780f6 SetProcessMitigationPolicy 15703->15705 15706 7ff848a78152 15705->15706 15707 7ff848a73662 15708 7ff848a95670 ConnectNamedPipe 15707->15708 15710 7ff848a95722 15708->15710 15716 7ff848a73642 15717 7ff848a954d0 CreateNamedPipeW 15716->15717 15719 7ff848a95603 15717->15719

                                                                                                              Executed Functions

                                                                                                              Function 00007FF848D88E04 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 304 7ff848d88e04-7ff848d88e0b 305 7ff848d88e16-7ff848d88e2a 304->305 306 7ff848d88e0d-7ff848d88e15 304->306 307 7ff848d88e74-7ff848d88e7a 305->307 308 7ff848d88e2c-7ff848d88e48 305->308 306->305 310 7ff848d88ec4-7ff848d88ed6 307->310 311 7ff848d88e7c-7ff848d88e87 307->311 312 7ff848d88e4b-7ff848d88e69 308->312 316 7ff848d88f52-7ff848d88f5c 310->316 317 7ff848d88ed8-7ff848d88edd 310->317 314 7ff848d88e88-7ff848d88ea5 311->314 319 7ff848d88e6b-7ff848d88e73 312->319 323 7ff848d88ea7-7ff848d88eaa 314->323 324 7ff848d88efe 314->324 322 7ff848d88f5d 316->322 320 7ff848d88f5e-7ff848d88f5f 317->320 321 7ff848d88edf-7ff848d88ee1 317->321 319->307 328 7ff848d88f60-7ff848d88f61 320->328 329 7ff848d88fa9-7ff848d88fd3 GlobalMemoryStatusEx 320->329 321->322 327 7ff848d88ee3-7ff848d88ee7 321->327 322->320 330 7ff848d88f2b-7ff848d88f2f 323->330 331 7ff848d88eac-7ff848d88eae 323->331 325 7ff848d88eff 324->325 332 7ff848d88f00 325->332 333 7ff848d88f7b-7ff848d88f7d 325->333 336 7ff848d88f63-7ff848d88f68 327->336 337 7ff848d88ee9 327->337 328->336 334 7ff848d88fd5 329->334 335 7ff848d88fdb-7ff848d89002 329->335 348 7ff848d88f30 330->348 338 7ff848d88eb0 331->338 339 7ff848d88f2a 331->339 342 7ff848d88f81-7ff848d88fa7 332->342 343 7ff848d88f01 332->343 358 7ff848d88f3d-7ff848d88f3e 333->358 359 7ff848d88f7f 333->359 334->335 346 7ff848d88f69-7ff848d88f6e 336->346 337->330 344 7ff848d88eeb-7ff848d88eed 337->344 340 7ff848d88eb2-7ff848d88eb4 338->340 341 7ff848d88ef3 338->341 339->330 340->348 349 7ff848d88eb6 340->349 347 7ff848d88f6f-7ff848d88f73 341->347 354 7ff848d88ef5 341->354 342->329 351 7ff848d88f02-7ff848d88f06 343->351 352 7ff848d88f43-7ff848d88f49 343->352 344->346 353 7ff848d88eef-7ff848d88ef1 344->353 346->347 355 7ff848d88f75-7ff848d88f7a 347->355 356 7ff848d88eb8-7ff848d88eba 349->356 357 7ff848d88ef9 349->357 351->314 360 7ff848d88f08-7ff848d88f0d 351->360 352->330 361 7ff848d88f4b-7ff848d88f4f 352->361 353->341 362 7ff848d88ef6-7ff848d88ef7 354->362 363 7ff848d88f37-7ff848d88f39 354->363 355->333 367 7ff848d88f36 356->367 368 7ff848d88ebc 356->368 357->355 364 7ff848d88efb-7ff848d88efd 357->364 366 7ff848d88f3f 358->366 359->342 373 7ff848d88f15-7ff848d88f29 360->373 361->316 362->357 365 7ff848d88f3b 363->365 363->366 364->324 365->358 371 7ff848d88f41 366->371 372 7ff848d88f42 366->372 367->363 368->325 370 7ff848d88ebe-7ff848d88ec1 368->370 370->310 371->372 372->352 373->339
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2224789464.00007FF848D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D80000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ff848d80000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: 9cc64184238a53b88586a71eb2e1442ab9886371315977aefff920f725caf8a4
                                                                                                              • Instruction ID: 26ba518c72cf5c907cd157656daa7187936c6fae431991ea5a8b5c1bf8a171f3
                                                                                                              • Opcode Fuzzy Hash: 9cc64184238a53b88586a71eb2e1442ab9886371315977aefff920f725caf8a4
                                                                                                              • Instruction Fuzzy Hash: 3F81F431C0EA894FE766EB6888057B87FE1EF56391F0401BAD06DC7593DF29680E9345
                                                                                                              Function 00007FF848A78014 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2216212447.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ff848a70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: 6560a645b90d9485889e40408a3622a4fbd01f44b8ef2f7eac7c1a2ff2ee31c8
                                                                                                              • Instruction ID: ef19916c2c4e472402cc8db4497d232a439eda10a55ffe43e5046b3d8869fd3a
                                                                                                              • Opcode Fuzzy Hash: 6560a645b90d9485889e40408a3622a4fbd01f44b8ef2f7eac7c1a2ff2ee31c8
                                                                                                              • Instruction Fuzzy Hash: 4841473190DB488FDB15EFA8984A5F97BE0EF55350F04027FE049C3292DF68A846C796
                                                                                                              Function 00007FF848A73642 Relevance: 1.7, APIs: 1, Instructions: 171pipeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 391 7ff848a73642-7ff848a9553a 394 7ff848a95544-7ff848a95601 CreateNamedPipeW 391->394 395 7ff848a9553c-7ff848a95541 391->395 397 7ff848a95603 394->397 398 7ff848a95609-7ff848a9563c 394->398 395->394 397->398
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2216212447.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ff848a70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2489174969-0
                                                                                                              • Opcode ID: 5b94aa9e2939994c67f21b93a000fbd7513ce38e62cf6c076cd805e55599affa
                                                                                                              • Instruction ID: 97d3cc6cadc1b2f9ab5e53de77d1be0e5c17e387c142485eceaacc1e81603514
                                                                                                              • Opcode Fuzzy Hash: 5b94aa9e2939994c67f21b93a000fbd7513ce38e62cf6c076cd805e55599affa
                                                                                                              • Instruction Fuzzy Hash: 4C51A07191CA1C8FDB68EF5C9846BE9BBE0FB59710F0442AEE04DD3241CB70A8458BC2
                                                                                                              Function 00007FF848A73662 Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 400 7ff848a73662-7ff848a95720 ConnectNamedPipe 404 7ff848a95722 400->404 405 7ff848a95728-7ff848a95770 call 7ff848a95771 400->405 404->405
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2216212447.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ff848a70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConnectNamedPipe
                                                                                                              • String ID:
                                                                                                              • API String ID: 2191148154-0
                                                                                                              • Opcode ID: 41e5a40320f790b696a6e56f6adf0c26932a06d46506815cf04357e83ed57d8f
                                                                                                              • Instruction ID: 225a8826ccaf11ed3d07b6192d858e52fb637abecb5ca5b54bdd16e7a540777d
                                                                                                              • Opcode Fuzzy Hash: 41e5a40320f790b696a6e56f6adf0c26932a06d46506815cf04357e83ed57d8f
                                                                                                              • Instruction Fuzzy Hash: 25317C70908A1C8FDB58EF98D849BEDB7F1FB58311F00826AD04DD7255DB70A9858B81
                                                                                                              Function 00007FF848A73AA2 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 409 7ff848a73aa2-7ff848a780ef 411 7ff848a780f6-7ff848a78150 SetProcessMitigationPolicy 409->411 412 7ff848a78158-7ff848a78187 411->412 413 7ff848a78152 411->413 413->412
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2216212447.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ff848a70000_ScreenConnect.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MitigationPolicyProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 1088084561-0
                                                                                                              • Opcode ID: 73c5ea9eb65a8b193d70556134a967d4cf2247ff9d83cfb4de0b94c049b1054c
                                                                                                              • Instruction ID: b07eb0993330fa0d999c2884e72a37ab0d18c274cb2daf1031a5ebd7f7fe5944
                                                                                                              • Opcode Fuzzy Hash: 73c5ea9eb65a8b193d70556134a967d4cf2247ff9d83cfb4de0b94c049b1054c
                                                                                                              • Instruction Fuzzy Hash: 3221D73191CB188FDB18AF9C9C4A6F9B7E0EB55711F00413EE049D3251DB74B8458B96